Hi Tomas,
We are experiencing the same issue on our 7.2.3 cas instance upgraded from
6.5 .
Initially my storage type was http but with 3 cas nodes in cluster so I've
changed it to ticket_registry but the problem remains.
Have you been able to fix it on your side ?
Regards,
Stéphane
Le mardi 29 avril 2025 à 05:45:14 UTC+2, Tomas Villarreal a écrit :
> Good afternoon, we have an error when trying to authenticate using SAML
> protocol after upgrading to version 7+,
> [image: Captura.PNG]
> (the full error log is at the bottom of the post)
>
> About our current setup:
> We are using CAS version 6.6.13 deployed in an environment with multiple
> instances (kubernetes). For ticket registry we use a Redis DB, which we
> also use for auditing (throttling). When we try to update to 7.X.X (we
> tested 7.0.X, 7.1.X and 7.2.X) everything works fine, both locally and in a
> multi-instance environment.
>
> However, we have a reproducible error when trying to authenticate via the
> SAML2 protocol when there is more than one instance of the SSO (in local
> with one instance it works fine).
>
> Could it be that there is some change in authentication with the SAML2
> protocol that we are not aware of? Since in the previous version 6.6.13
> everything works perfectly.
>
> PS: For reference, we have the following configuration:
> cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
> cas.ticket.registry.redis.host=${REDIS_HOST}
> cas.ticket.registry.redis.password=${REDIS_PASSWORD}
>
> Error log:
> 2025-04-28 15:43:50,009 INFO
> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController]
>
> - <Received SAML2 callback profile request [/idp/profile/SAML2/Callback]>
> 2025-04-28 15:43:50,011 ERROR
> [org.apereo.cas.util.concurrent.CasReentrantLock] - <SAML2 authentication
> request cannot be determined from the CAS session store for request id
> ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
> This typically means that the original SAML2 authentication request that
> was submitted to CAS via a SAML2 service provider
> cannot be retrieved and restored after an authentication attempt. If you
> are running a multi-node CAS deployment, you may
> need to opt for a different session storage mechanism than what is
> configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore
>
> AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$7:534
> Optional.java:orElseThrow:403
>
> AbstractSamlIdPProfileHandlerController.java:lambda$retrieveAuthenticationRequest$8:525
> CasReentrantLock.java:tryLock:57
> >
> 2025-04-28 15:43:50,016 ERROR [org.apereo.cas.web.support.WebUtils] -
> <RootCasException(super=org.apereo.cas.support.saml.idp.MissingSamlAuthnRequestException:
>
> SAML2 authentication request cannot be determined from the CAS session
> store for request id ONELOGIN_5cf32d91b3c165b58055063640f22d0b9b50d1fe.
> This typically means that the original SAML2 authentication request that
> was submitted to CAS via a SAML2 service provider
> cannot be retrieved and restored after an authentication attempt. If you
> are running a multi-node CAS deployment, you may
> need to opt for a different session storage mechanism than what is
> configured now: org.apereo.cas.pac4j.TicketRegistrySessionStore,
> code=MISSING_SAML_REQUEST)
> CasReentrantLock.java:tryLock:60
>
> AbstractSamlIdPProfileHandlerController.java:retrieveAuthenticationRequest:520
> SSOSamlIdPProfileCallbackHandlerController.java:handleProfileRequest:90
>
> SSOSamlIdPProfileCallbackHandlerController.java:handleCallbackProfileRequestGet:69
> >
>
>
>
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ba242b5e-9e0a-447c-96a0-f76425ea4237n%40apereo.org.
