Thanks Ray, I could see the IP address change during one of the authentication processes. The strange thing was that the IP address reported in the "Invalid cookie" line was different than the user's original IP address and the IP address that occurred later. So that case had 3 different IPs within 10 seconds.
I'll check if the CAS load-balancer is doing something strange. I feel that I'd see these SAML2 errors with more people if it was a problem with the load-balancer. Less than 1% of my users experience the problem. On Monday, June 30, 2025 at 3:03:33 PM UTC-4 Jeremiah Garmatter wrote: > I tracked down some more info in the CAS logs. > > During the affected users' login process, I see these messages: > Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER java[ > 3549010]: 2025-06-30 13:16:16,948 WARN [org.apereo.cas.web.support.gen. > CookieRetrievingCookieGenerator] - <Invalid cookie. Required remote > address REDACTED_IP does not match DIFFERENT_REDACTED_IP > Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER java[ > 3549010]: 2025-06-30 13:16:16,947 WARN [org.apereo.cas.web.support.mgmr. > DefaultCasCookieValueManager] - <Invalid cookie. Required remote address > REDACTED_IP does not match DIFFERENT_REDACTED_IP > > Jun 30 13:15:41 REDACTED_OTHER_SERVER Jun 30 13:15:41 > REDACTED_OTHER_SERVER java[3132836]: 2025-06-30 13:15:41,334 WARN [org. > apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid > cookie. Required remote address REDACTED_IP does not match > DIFFERENT_REDACTED_IP > > > I know that CAS stores the IP address and some client info in the session > store. Am I to understand that the affected users' IP address changes > during the authentication process? I can see how that would prevent a > successful authentication but I'm not sure why their IPs would change so > much that these users can't log in to anything. > > I'm hesitant to disable this optional config from > https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html > : > cas.authn.saml-idp.core.session-replication.cookie.pin-to-session > It sounds like I could remove the IP address and other client info from > the session but that could allow malicious parties to re-use the cookie. I > don't like the sound of that. > > Any other ideas? I see this > "cas.authn.saml-idp.core.session-replication.cookie.allowed-ip-addresses-pattern=" > > but it sounds like it's better suited when you can guarantee all the users > authenticate from one location. We have lots of remote users. > On Friday, June 27, 2025 at 4:09:01 PM UTC-4 Jeremiah Garmatter wrote: > >> Hi Ray, >> >> I do, I have both the signing and encryption key configs set. Like this: >> cas.authn.saml-idp.core.session-replication.cookie.crypto.signing.key=<a >> signing key> >> cas.authn.saml-idp.core.session-replication.cookie.crypto.encryption.key=<an >> encryption key> >> The values are replicated across each host in the cluster. >> >> >> On Friday, June 27, 2025 at 3:25:25 PM UTC-4 Ray Bon wrote: >> >>> Jeremiah, >>> >>> Do you have a session-replication.cookie configured? >>> >>> https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html >>> under >>> Signing & Encryption tab >>> >>> >>> Ray >>> ------------------------------ >>> *From:* 'Jeremiah Garmatter' via CAS Community <cas-...@apereo.org> >>> *Sent:* June 27, 2025 10:59 >>> *To:* CAS Community <cas-...@apereo.org> >>> *Subject:* [cas-user] SAML2 IdP Error >>> >>> Hello, >>> >>> I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2 >>> support. I have a strange issue. >>> Most users can log in to SAML2 services without any trouble, however, >>> some users receive an error every time they attempt a login. >>> See attachment for the error message. >>> The majority of users may see this message once in a blue moon. >>> Revisiting the SP will correct the problem. This doesn't work for a very >>> small group of my users though. >>> We've tried troubleshooting the web browser by clearing browser cache, >>> disabling browser plugins, private browser window, different browsers, >>> different devices, and I've asked them to try different networks but none >>> of that corrected their issues. >>> >>> I changed the SAML session storage to: >>> cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY >>> but that didn't fix their issues either. >>> >>> Has anyone seen this problem before or have any advice to fix it? >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1464f6f7-ac64-4962-b08f-8f0cb20c7443n%40apereo.org >>> >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1464f6f7-ac64-4962-b08f-8f0cb20c7443n%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/91b0f14b-36a4-441a-ae71-a556d9cf0ff3n%40apereo.org.
