Jeremiah,
Could this behaviour be related to some strange attribute retrieval problem;
where the problem service has some attribute requirements that the user does
not meet?
Why the conditions would not still apply after a successfull authentication
would be a different problem.
Try these loggers:
<!-- DEBUG displays attributes, obscures credential -->
<Logger name="org.apereo.cas.authentication.CoreAuthenticationUtils"
level="debug" />
<!-- related to attribute merging and release -->
<Logger
name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy"
level="debug" />
Ray
________________________________
From: Jeremiah Garmatter <j-garmat...@onu.edu>
Sent: July 29, 2025 05:29
To: CAS Community <cas-user@apereo.org>
Cc: Ray Bon <r...@uvic.ca>
Subject: Re: [cas-user] SAML2 IdP Error
New development: One of our users experienced the SAML2 error from our internal
network. The connection to the SSO server and the app server was stable.
It was bizarre because it seemed like the problem followed her username...
We tried another device and she got the same SAML2 error. One of the members of
my team logged on with their own credentials on her device and got in without
issue.
The thing that worked for her was logging into a different SAML2 service than
the one she tried initially, which worked fine. Then, since she had an active
session, she was able to access the original service without issues.
On Tuesday, July 8, 2025 at 1:45:22 PM UTC-4 Jeremiah Garmatter wrote:
I disabled the load balancer and ran CAS off of a single host and my users
still had the problem.
It sounds like it is more of a problem with the user's internet (unstable/slow
connection) than the CAS servers. This also explains why it would happen to so
few people.
Unfortunately, the users claim they "tried multiple devices" and "multiple
networks" and still see the error. CAS logs support these claims as I see at
least four different IP ranges from one of the users in the last 30 days.
Thanks for the help narrowing down the problem. I'm not sure why four different
networks would all swap a client's public IP address this often though. I can
hardly expect the CAS group to troubleshoot that though.
Thanks again.
On Monday, June 30, 2025 at 10:35:03 PM UTC-4 Jeremiah Garmatter wrote:
Thanks Ray,
I could see the IP address change during one of the authentication processes.
The strange thing was that the IP address reported in the "Invalid cookie" line
was different than the user's original IP address and the IP address that
occurred later. So that case had 3 different IPs within 10 seconds.
I'll check if the CAS load-balancer is doing something strange. I feel that I'd
see these SAML2 errors with more people if it was a problem with the
load-balancer. Less than 1% of my users experience the problem.
On Monday, June 30, 2025 at 3:03:33 PM UTC-4 Jeremiah Garmatter wrote:
I tracked down some more info in the CAS logs.
During the affected users' login process, I see these messages:
Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER java[3549010]:
2025-06-30 13:16:16,948 WARN
[org.apereo.cas.web.support.gen.CookieRetrievingCookieGenerator] - <Invalid
cookie. Required remote address REDACTED_IP does not match DIFFERENT_REDACTED_IP
Jun 30 13:16:17 REDACTED_SERVER Jun 30 13:16:16 REDACTED_SERVER
java[3549010]: 2025-06-30 13:16:16,947 WARN
[org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid
cookie. Required remote address REDACTED_IP does not match
DIFFERENT_REDACTED_IP >
Jun 30 13:15:41 REDACTED_OTHER_SERVER Jun 30 13:15:41 REDACTED_OTHER_SERVER
java[3132836]: 2025-06-30 13:15:41,334 WARN
[org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager] - <Invalid
cookie. Required remote address REDACTED_IP does not match
DIFFERENT_REDACTED_IP >
I know that CAS stores the IP address and some client info in the session
store. Am I to understand that the affected users' IP address changes during
the authentication process? I can see how that would prevent a successful
authentication but I'm not sure why their IPs would change so much that these
users can't log in to anything.
I'm hesitant to disable this optional config from
https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html:
cas.authn.saml-idp.core.session-replication.cookie.pin-to-session
It sounds like I could remove the IP address and other client info from the
session but that could allow malicious parties to re-use the cookie. I don't
like the sound of that.
Any other ideas? I see this
"cas.authn.saml-idp.core.session-replication.cookie.allowed-ip-addresses-pattern="
but it sounds like it's better suited when you can guarantee all the users
authenticate from one location. We have lots of remote users.
On Friday, June 27, 2025 at 4:09:01 PM UTC-4 Jeremiah Garmatter wrote:
Hi Ray,
I do, I have both the signing and encryption key configs set. Like this:
cas.authn.saml-idp.core.session-replication.cookie.crypto.signing.key=<a
signing key>
cas.authn.saml-idp.core.session-replication.cookie.crypto.encryption.key=<an
encryption key>
The values are replicated across each host in the cluster.
On Friday, June 27, 2025 at 3:25:25 PM UTC-4 Ray Bon wrote:
Jeremiah,
Do you have a session-replication.cookie configured?
https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html
under Signing & Encryption tab
Ray
________________________________
From: 'Jeremiah Garmatter' via CAS Community <cas-...@apereo.org>
Sent: June 27, 2025 10:59
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] SAML2 IdP Error
Hello,
I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2 support.
I have a strange issue.
Most users can log in to SAML2 services without any trouble, however, some
users receive an error every time they attempt a login.
See attachment for the error message.
The majority of users may see this message once in a blue moon. Revisiting the
SP will correct the problem. This doesn't work for a very small group of my
users though.
We've tried troubleshooting the web browser by clearing browser cache,
disabling browser plugins, private browser window, different browsers,
different devices, and I've asked them to try different networks but none of
that corrected their issues.
I changed the SAML session storage to:
cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
but that didn't fix their issues either.
Has anyone seen this problem before or have any advice to fix it?
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+u...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1464f6f7-ac64-4962-b08f-8f0cb20c7443n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1464f6f7-ac64-4962-b08f-8f0cb20c7443n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB00815C511C31BF4A69AEECAECE25A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
