SAML2 IdP Error

[Jeremiah Garmatter]

Hello,

I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2 support. I have a strange issue.

Most users can log in to SAML2 services without any trouble, however, some users receive an error every time they attempt a login.

See attachment for the error message.

The majority of users may see this message once in a blue moon. Revisiting the SP will correct the problem. This doesn't work for a very small group of my users though.

We've tried troubleshooting the web browser by clearing browser cache, disabling browser plugins, private browser window, different browsers, different devices, and I've asked them to try different networks but none of that corrected their issues.

I changed the SAML session storage to:

cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY

but that didn't fix their issues either.

Has anyone seen this problem before or have any advice to fix it?

[Ray Bon]

Jeremiah,

Do you have a session-replication.cookie configured?

https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html under Signing & Encryption tab

Ray

---

From: 'Jeremiah Garmatter' via CAS Community <cas-...@apereo.org>
Sent: June 27, 2025 10:59
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] SAML2 IdP Error

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1464f6f7-ac64-4962-b08f-8f0cb20c7443n%40apereo.org.

[Jeremiah Garmatter]

Hi Ray,

I do, I have both the signing and encryption key configs set. Like this:

cas.authn.saml-idp.core.session-replication.cookie.crypto.signing.key=<a signing key>

cas.authn.saml-idp.core.session-replication.cookie.crypto.encryption.key=<an encryption key>

The values are replicated across each host in the cluster.

[Ray Bon]

Jeremiah,

There are audit logs that also show the IP address. You can verify if the ip changes.

Could there be some routing mechanism between the client and cas that is masking the client's IP address?

Can you check the client ip address during a debug session?

Ray

---

From: Jeremiah Garmatter <j-gar...@onu.edu>
Sent: June 30, 2025 10:54
To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] SAML2 IdP Error

 

I tracked down some more info in the CAS logs.

During the affected users' login process, I see these messages:

Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER java[3549010]: 2025-06-30 13:16:16,948 WARN [org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Invalid cookie. Required remote address REDACTED_IP does not match DIFFERENT_REDACTED_IP

Jun 30 13:16:17  REDACTED_SERVER  Jun 30 13:16:16  REDACTED_SERVER  java[3549010]: 2025-06-30 13:16:16,947 WARN [org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid cookie. Required remote address  REDACTED_IP   does not match  DIFFERENT_REDACTED_IP >

Jun 30 13:15:41  REDACTED_OTHER_SERVER  Jun 30 13:15:41  REDACTED_OTHER_SERVER  java[3132836]: 2025-06-30 13:15:41,334 WARN [org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid cookie. Required remote address  REDACTED_IP   does not match  DIFFERENT_REDACTED_IP >

I know that CAS stores the IP address and some client info in the session store. Am I to understand that the affected users' IP address changes during the authentication process? I can see how that would prevent a successful authentication but I'm not sure why their IPs would change so much that these users can't log in to anything.

I'm hesitant to disable this optional config from https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html:

cas.authn.saml-idp.core.session-replication.cookie.pin-to-session

It sounds like I could remove the IP address and other client info from the session but that could allow malicious parties to re-use the cookie. I don't like the sound of that.

Any other ideas? I see this "cas.authn.saml-idp.core.session-replication.cookie.allowed-ip-addresses-pattern=" but it sounds like it's better suited when you can guarantee all the users authenticate from one location. We have lots of remote users.

[Jeremiah Garmatter]

I tracked down some more info in the CAS logs.

During the affected users' login process, I see these messages:

Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER java[3549010]: 2025-06-30 13:16:16,948 WARN [org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Invalid cookie. Required remote address REDACTED_IP does not match DIFFERENT_REDACTED_IP

Jun 30 13:16:17  REDACTED_SERVER  Jun 30 13:16:16  REDACTED_SERVER  java[3549010]: 2025-06-30 13:16:16,947 WARN [org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid cookie. Required remote address  REDACTED_IP   does not match  DIFFERENT_REDACTED_IP >

Jun 30 13:15:41  REDACTED_OTHER_SERVER  Jun 30 13:15:41  REDACTED_OTHER_SERVER  java[3132836]: 2025-06-30 13:15:41,334 WARN [org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid cookie. Required remote address  REDACTED_IP   does not match  DIFFERENT_REDACTED_IP >

I know that CAS stores the IP address and some client info in the session store. Am I to understand that the affected users' IP address changes during the authentication process? I can see how that would prevent a successful authentication but I'm not sure why their IPs would change so much that these users can't log in to anything.

I'm hesitant to disable this optional config from https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html:

cas.authn.saml-idp.core.session-replication.cookie.pin-to-session

It sounds like I could remove the IP address and other client info from the session but that could allow malicious parties to re-use the cookie. I don't like the sound of that.

Any other ideas? I see this "cas.authn.saml-idp.core.session-replication.cookie.allowed-ip-addresses-pattern=" but it sounds like it's better suited when you can guarantee all the users authenticate from one location. We have lots of remote users.

On Friday, June 27, 2025 at 4:09:01 PM UTC-4 Jeremiah Garmatter wrote:

[Jeremiah Garmatter]

Thanks Ray,

I could see the IP address change during one of the authentication processes. The strange thing was that the IP address reported in the "Invalid cookie" line was different than the user's original IP address and the IP address that occurred later. So that case had 3 different IPs within 10 seconds.

I'll check if the CAS load-balancer is doing something strange. I feel that I'd see these SAML2 errors with more people if it was a problem with the load-balancer. Less than 1% of my users experience the problem.

[Jeremiah Garmatter]

I disabled the load balancer and ran CAS off of a single host and my users still had the problem.

It sounds like it is more of a problem with the user's internet (unstable/slow connection) than the CAS servers. This also explains why it would happen to so few people.

Unfortunately, the users claim they "tried multiple devices" and "multiple networks" and still see the error. CAS logs support these claims as I see at least four different IP ranges from one of the users in the last 30 days.

Thanks for the help narrowing down the problem. I'm not sure why four different networks would all swap a client's public IP address this often though. I can hardly expect the CAS group to troubleshoot that though.

Thanks again.

[Jeremiah Garmatter]

New development: One of our users experienced the SAML2 error from our internal network. The connection to the SSO server and the app server was stable.

It was bizarre because it seemed like the problem followed her username...

We tried another device and she got the same SAML2 error. One of the members of my team logged on with their own credentials on her device and got in without issue.

The thing that worked for her was logging into a different SAML2 service than the one she tried initially, which worked fine. Then, since she had an active session, she was able to access the original service without issues.

[Ray Bon]

Jeremiah,

Could this behaviour be related to some strange attribute retrieval problem; where the problem service has some attribute requirements that the user does not meet?

Why the conditions would not still apply after a successfull authentication would be a different problem.

Try these loggers:

        <!-- DEBUG displays attributes, obscures credential -->

        <Logger name="org.apereo.cas.authentication.CoreAuthenticationUtils" level="debug" />

        <!-- related to attribute merging and release -->

        <Logger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="debug" />

Ray

---

From: Jeremiah Garmatter <j-gar...@onu.edu>
Sent: July 29, 2025 05:29

To: CAS Community <cas-...@apereo.org>
Cc: Ray Bon <rb...@uvic.ca>
Subject: Re: [cas-user] SAML2 IdP Error