CAS 7.2.7 JPA Ticket Registry issues while encrypting data

[gautham jampala]

Hello,

We enabled JPA Ticket Registry with data encryption and for most part it works without issues but for SSO login flow when the user is redirected back from their IDP to our CAS, authentication is failing with State cannot be determined. When we turn off encryption for the JPA Ticket Registry data the user is properly redirected to welcome screen.

Has anyone run into similar issue and is there a work around for this?

Thank you,

Gautham

[Ray Bon]

Gautham,

Check encryption and signing key lengths. Regenerate keys to match the expected default lengths (rather than trying to set the lengths).

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of gautham jampala <gauta...@gmail.com>
Sent: November 11, 2025 12:55
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS 7.2.7 JPA Ticket Registry issues while encrypting data

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5980b2fc-1152-484a-914d-6199a2bab888n%40apereo.org.

[gautham jampala]

I tried commenting out the encryption and signing keys to let CAS auto generate the keys but still the same issue. I am not setting any key sizes for jpa registry properties. On retry of SSO login, user is redirected to IDP login screen and after successful login they are redirected to CAS welcome screen with all principal details, seems like it is loosing the registered service to redirect to. Below are my JPA registry properties:

cas.ticket.registry.jpa.driver-class=org.mariadb.jdbc.Driver
cas.ticket.registry.jpa.enabled=true
cas.ticket.registry.jpa.password=***
cas.ticket.registry.jpa.url=jdbc:mariadb://localhost:3306/test
cas.ticket.registry.jpa.user=***
cas.ticket.registry.jpa.ddl-auto=none
cas.ticket.registry.jpa.dialect=org.hibernate.dialect.MariaDBDialect
cas.ticket.registry.jpa.crypto.enabled=true
cas.ticket.registry.jpa.crypto.signing-enabled=true

Also have properties for tgc for which I am setting key-size and alg:

cas.tgc.max-age=-1
cas.tgc.http-only=false
cas.tgc.path=/
cas.tgc.name=CASTGC
cas.tgc.crypto.encryption.key=PqN1lyOIrdCppLN0MaORzkBFDuaS4ytKWmBgRYVhjwI
cas.tgc.crypto.signing.key=4eWRTqk5RCP97v96pY0Ear6HdTX6kYbNoe32k8nEZjRCDFjXoMzQG3zdEg1fsxpEJL9gGHq7AlOkIp2htvn9Eg

cas.tgc.crypto.alg=A256GCM
cas.tgc.crypto.encryption.key-size=256

Thank you,

Gautham