Tomas,
Try adding cookie encryption and signing keys.
Seehttps://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.htmlunder
signing & encryption tab.
Ray
________________________________
From: 'Tomas Villarreal' via CAS Community <cas-user@apereo.org>
Sent: April 28, 2025 12:14
To: CAS Community <cas-user@apereo.org>
Cc: Matias Arga?araz <matias.argana...@unc.edu.ar>
Subject: [cas-user] SAML2 IdP error after upgrading to 7+
Good afternoon, we have an error when trying to authenticate using SAML
protocol after upgrading to version 7+,
[Captura.PNG]
(the full error log is at the bottom of the post)
About our current setup:
We are using CAS version 6.6.13 deployed in an environment with multiple
instances (kubernetes). For ticket registry we use a Redis DB, which we also
use for auditing (throttling). When we try to update to 7.X.X (we tested 7.0.X,
7.1.X and 7.2.X) everything works fine, both locally and in a multi-instance
environment.
However, we have a reproducible error when trying to authenticate via the SAML2
protocol when there is more than one instance of the SSO (in local with one
instance it works fine).
Could it be that there is some change in authentication with the SAML2 protocol
that we are not aware of? Since in the previous version 6.6.13 everything works
perfectly.
PS: For reference, we have the following configuration:
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
cas.ticket.registry.redis.host=${REDIS_HOST}
cas.ticket.registry.redis.password=${REDIS_PASSWORD}
Error log:
2025-04-28 15:43:50,009 INFO
[org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
- <Received SAML2 callback profile request [/idp/profile/SAML2/Callback]>
2025-04-28 15:43:50,011 ERROR [org.apereo.cas.util.concurrent.CasReentrantLock]
- <SAML2 authentication request cannot be determined from the CAS session store
for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that was
submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you are
running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is configured
now: org.apereo.cas.pac4j.TicketRegistrySessionStore
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$7:534
Optional.java:orElseThrow:403
AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$8:525
CasReentrantLock.java:tryLock:57
>
2025-04-28 15:43:50,016 ERROR [org.apereo.cas.web.support.WebUtils] -
<RootCasException(super=org.apereo.cas.support.saml.idp.MissingSamlAuthnRequestException:
SAML2 authentication request cannot be determined from the CAS session store
for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
This typically means that the original SAML2 authentication request that was
submitted to CAS via a SAML2 service provider
cannot be retrieved and restored after an authentication attempt. If you are
running a multi-node CAS deployment, you may
need to opt for a different session storage mechanism than what is configured
now: org.apereo.cas.pac4j.TicketRegistrySessionStore, code=MISSING_SAML_REQUEST)
CasReentrantLock.java:tryLock:60
AbstractSamlIdPProfileHandlerController.java:retrieveAuthenticationRequest:520
SSOSamlIdPProfileCallbackHandlerController.java:handleProfileRequest:90
SSOSamlIdPProfileCallbackHandlerController.java:handleCallbackProfileRequestGet:69
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb417dce-52e3-4773-99ab-a71b4786ebd2n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb417dce-52e3-4773-99ab-a71b4786ebd2n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081726BD8FBF0D8EE70FFC3CE802%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
