Good afternoon, we have an error when trying to authenticate using SAML
protocol after upgrading to version 7+,
[image: Captura.PNG]
(the full error log is at the bottom of the post)
About our current setup:
We are using CAS version 6.6.13 deployed in an environment with multiple
instances (kubernetes). For ticket registry we use a Redis DB, which we
also use for auditing (throttling). When we try to update to 7.X.X (we
tested 7.0.X, 7.1.X and 7.2.X) everything works fine, both locally and in a
multi-instance environment.
However, we have a reproducible error when trying to authenticate via the
SAML2 protocol when there is more than one instance of the SSO (in local
with one instance it works fine).
Could it be that there is some change in authentication with the SAML2
protocol that we are not aware of? Since in the previous version 6.6.13
everything works perfectly.
PS: For reference, we have the following configuration:
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
cas.ticket.registry.redis.host=${REDIS_HOST}
cas.ticket.registry.redis.password=${REDIS_PASSWORD}
Error log:
2025-04-28 15:43:50,009 INFO
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
- <Received SAML2 callback profile request [/idp/profile/SAML2/Callback]>
2025-04-28 15:43:50,011 ERROR
[org.apereo.cas.util.concurrent.CasReentrantLock] - <SAML2 authentication
request cannot be determined from the CAS session store for request id
ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that
was submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you
are running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is
configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$7:534
Optional.java:orElseThrow:403
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$8:525
CasReentrantLock.java:tryLock:57
>
2025-04-28 15:43:50,016 ERROR [org.apereo.cas.web.support.WebUtils] -
<RootCasException(super=org.apereo.cas.support.saml.idp.MissingSamlAuthnRequestException:
SAML2 authentication request cannot be determined from the CAS session
store for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that
was submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you
are running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is
configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore,
code=MISSING_SAML_REQUEST)
CasReentrantLock.java:tryLock:60
AbstractSamlIdPProfileHandlerController.java:retrieveAuthenticationRequest:520
SSOSamlIdPProfileCallbackHandlerController.java:handleProfileRequest:90
SSOSamlIdPProfileCallbackHandlerController.java:handleCallbackProfileRequestGet:69
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb417dce-52e3-4773-99ab-a71b4786ebd2n%40apereo.org.
