CAS Error - "Parameter [entityId] had multiple values"
21 views
Skip to first unread message
Samuel Harmon
Feb 20, 2026, 2:31:17 PM (6 days ago) Feb 20
to cas-...@apereo.org
We recently upgraded our CAS servers from 6.6.x to 7.3.3, and we're
seeing some unusual behavior that didn't happen before.
Our setup is two CAS nodes with tickets distributed via Hazelcast and
services stored in LDAP, and we do use Shibcas to allow us to use CAS
as the frontend for our Shibboleth IdPs. Shibcas is configured with
the default shibcas.entityIdLocation value (append), and it has been
set up like this for as long as we've used it.
Sometimes on our production servers since the upgrade (not all the
time, maybe 1 out of every 10 attempts, and it comes from all
potential entityIds), the user ends up getting a 500 error from CAS
upon referral from the IdPs:
2026-02-20 10:42:06,727 ERROR
[org.apereo.cas.web.support.filters.AbstractSecurityFilter] -
<jakarta.servlet.ServletException: This request is blocked: Parameter
[entityId] had multiple values
[[google.com/a/case.edu?service=https://login.case.edu/idp/Authn/External?conversation=e1s2,
google.com/a/case.edu]] but at most one value is allowable.
AbstractSecurityFilter.java:throwException:42
AbstractSecurityFilter.java:throwException:26
RequestParameterPolicyEnforcementFilter.java:doFilter:390
ApplicationFilterChain.java:doFilter:107
Has anyone else seen something like this before?
Thanks,
Sam
seeing some unusual behavior that didn't happen before.
Our setup is two CAS nodes with tickets distributed via Hazelcast and
services stored in LDAP, and we do use Shibcas to allow us to use CAS
as the frontend for our Shibboleth IdPs. Shibcas is configured with
the default shibcas.entityIdLocation value (append), and it has been
set up like this for as long as we've used it.
Sometimes on our production servers since the upgrade (not all the
time, maybe 1 out of every 10 attempts, and it comes from all
potential entityIds), the user ends up getting a 500 error from CAS
upon referral from the IdPs:
2026-02-20 10:42:06,727 ERROR
[org.apereo.cas.web.support.filters.AbstractSecurityFilter] -
<jakarta.servlet.ServletException: This request is blocked: Parameter
[entityId] had multiple values
[[google.com/a/case.edu?service=https://login.case.edu/idp/Authn/External?conversation=e1s2,
google.com/a/case.edu]] but at most one value is allowable.
AbstractSecurityFilter.java:throwException:42
AbstractSecurityFilter.java:throwException:26
RequestParameterPolicyEnforcementFilter.java:doFilter:390
ApplicationFilterChain.java:doFilter:107
Has anyone else seen something like this before?
Thanks,
Sam
Reply all
Reply to author
Forward
0 new messages