SAML2 IdP error after upgrading to 7+
96 views
Skip to first unread message
Tomas Villarreal
Apr 28, 2025, 11:45:14 PMApr 28
to CAS Community, Matias Argañaraz
Good afternoon, we have an error when trying to authenticate using SAML protocol after upgrading to version 7+,
(the full error log is at the bottom of the post)
About our current setup:
We are using CAS version 6.6.13 deployed in an environment with multiple instances (kubernetes). For ticket registry we use a Redis DB, which we also use for auditing (throttling). When we try to update to 7.X.X (we tested 7.0.X, 7.1.X and 7.2.X) everything works fine, both locally and in a multi-instance environment.
However, we have a reproducible error when trying to authenticate via the SAML2 protocol when there is more than one instance of the SSO (in local with one instance it works fine).
Could it be that there is some change in authentication with the SAML2 protocol that we are not aware of? Since in the previous version 6.6.13 everything works perfectly.
We are using CAS version 6.6.13 deployed in an environment with multiple instances (kubernetes). For ticket registry we use a Redis DB, which we also use for auditing (throttling). When we try to update to 7.X.X (we tested 7.0.X, 7.1.X and 7.2.X) everything works fine, both locally and in a multi-instance environment.
However, we have a reproducible error when trying to authenticate via the SAML2 protocol when there is more than one instance of the SSO (in local with one instance it works fine).
Could it be that there is some change in authentication with the SAML2 protocol that we are not aware of? Since in the previous version 6.6.13 everything works perfectly.
PS: For reference, we have the following configuration:
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
cas.ticket.registry.redis.host=${REDIS_HOST}
cas.ticket.registry.redis.password=${REDIS_PASSWORD}
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
cas.ticket.registry.redis.host=${REDIS_HOST}
cas.ticket.registry.redis.password=${REDIS_PASSWORD}
Error log:
2025-04-28 15:43:50,009 INFO [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Received SAML2 callback profile request [/idp/profile/SAML2/Callback]>
2025-04-28 15:43:50,011 ERROR [org.apereo.cas.util.concurrent.CasReentrantLock] - <SAML2 authentication request cannot be determined from the CAS session store for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that was submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you are running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$7:534
Optional.java:orElseThrow:403
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$8:525
CasReentrantLock.java:tryLock:57
>
2025-04-28 15:43:50,016 ERROR [org.apereo.cas.web.support.WebUtils] - <RootCasException(super=org.apereo.cas.support.saml.idp.MissingSamlAuthnRequestException: SAML2 authentication request cannot be determined from the CAS session store for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that was submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you are running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore, code=MISSING_SAML_REQUEST)
CasReentrantLock.java:tryLock:60
AbstractSamlIdPProfileHandlerController.java:retrieveAuthenticationRequest:520
SSOSamlIdPProfileCallbackHandlerController.java:handleProfileRequest:90
SSOSamlIdPProfileCallbackHandlerController.java:handleCallbackProfileRequestGet:69
>
Ray Bon
Apr 29, 2025, 11:28:23 AMApr 29
to cas-...@apereo.org
Tomas,
Try adding cookie encryption and signing keys. Seehttps://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.htmlunder signing & encryption
tab.
Ray
From: 'Tomas Villarreal' via CAS Community <cas-...@apereo.org>
Sent: April 28, 2025 12:14
To: CAS Community <cas-...@apereo.org>
Cc: Matias Argañaraz <matias.a...@unc.edu.ar>
Subject: [cas-user] SAML2 IdP error after upgrading to 7+
Sent: April 28, 2025 12:14
To: CAS Community <cas-...@apereo.org>
Cc: Matias Argañaraz <matias.a...@unc.edu.ar>
Subject: [cas-user] SAML2 IdP error after upgrading to 7+
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb417dce-52e3-4773-99ab-a71b4786ebd2n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb417dce-52e3-4773-99ab-a71b4786ebd2n%40apereo.org.
Stéphane Delcourt
Aug 26, 2025, 6:52:37 AM (10 days ago) Aug 26
to CAS Community, Tomas Villarreal, Matias Argañaraz
Hi Tomas,
We are experiencing the same issue on our 7.2.3 cas instance upgraded from 6.5 .
Initially my storage type was http but with 3 cas nodes in cluster so I've changed it to ticket_registry but the problem remains.
Have you been able to fix it on your side ?
Regards,
Initially my storage type was http but with 3 cas nodes in cluster so I've changed it to ticket_registry but the problem remains.
Have you been able to fix it on your side ?
Regards,
Stéphane
Reply all
Reply to author
Forward
0 new messages