Hello, I have CAS 7.2.X war overlay, SAML authN seems broken in 7.2.4, it works in 7.2.3. I have a simple Spring Boot client that uses SAML to authenticate against CAS as server.
With 7.2.4, i am getting Unauthorized App Error when Client app sends SAML AuthN Request to CAS and redirect to CAS URL. this works in 7.2.3. I am listing CAS logs for the two different versions. I debugged through the code, it does not seem obvious what maybe the problem in CAS code. Thanks, Yan here is the log for 7.2.4, failed due to unauthorized error. > 2025-09-17 12:05:22,847 DEBUG [tomcat-handler-7] [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************> 2025-09-17 12:05:22,854 INFO [tomcat-handler-7] [PROTOCOL_MESSAGE] - < ============================================================ SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl ============================================================ <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; ForceAuthn="false" ID="aehj5f5dbbg5i6i12df49c4gi38a84" IsPassive="false" IssueInstant="2025-09-17T16:05:20.416Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8543/saml/metadata</saml2:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> .......... </ds:X509Data> </ds:KeyInfo> </ds:Signature> <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> </saml2p:AuthnRequest> ============================================================> 2025-09-17 12:05:22,929 DEBUG [tomcat-handler-7] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Created service url [https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost...]> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authentication request to [https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata]> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata]> 2025-09-17 12:05:23,019 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@49ffbe04]> 2025-09-17 12:05:23,026 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow execution plan...> 2025-09-17 12:05:23,103 INFO [scheduling-9] [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] service(s) from cache [JsonServiceRegistry].> 2025-09-17 12:05:23,114 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] - <Unable to locate state definition [delegatedAuthentication] in flow [mfa-simple]> 2025-09-17 12:05:23,115 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - <[OidcWebflowConfigurer] could not find flow definition [account]. Available flow definition ids are [[clientredirect, login, logout, mfa-simple]]> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]> 2025-09-17 12:05:23,333 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata]> 2025-09-17 12:05:23,342 WARN [tomcat-handler-10] [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Unauthorized Service Access. Service [https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata] is not registered in the service registry. Review the service access strategy to evaluate policies required for service access> here is the log for 7.2.3, working fine. 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] [org.apereo.cas.support.saml.SamlUtils] - <Logging [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl] [<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" IssueInstant="2025-09-17T16:09:27.741Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8543/saml/metadata</saml2:Issuer> ............. </ds:Signature> <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> </saml2p:AuthnRequest> ] > 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] [org.apereo.cas.support.saml.SamlUtils] - <********************************************************************************> 2025-09-17 12:09:32,001 INFO [tomcat-handler-9] [PROTOCOL_MESSAGE] - < ============================================================ SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl ============================================================ <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" IssueInstant="2025-09-17T16:09:27.741Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8543/saml/metadata</saml2:Issuer> .......................... <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> </saml2p:AuthnRequest> ============================================================> 2025-09-17 12:09:32,070 DEBUG [tomcat-handler-9] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Created service url [https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost...]> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authentication request to [https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata]> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] - <Redirecting SAML authN request to [https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata]> 2025-09-17 12:09:32,158 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@4830d7e2]> 2025-09-17 12:09:32,163 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Locating metadata for entityID [https://localhost:8543/saml/metadata] by attempting to run through the metadata chain...> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [samlsp] at [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Locating cached metadata resolver using key [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] for service [samlsp]. Attempt [0]> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Resolved metadata chain from [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Located SP SSODescriptor in metadata for [https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> 2025-09-17 12:09:32,169 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow execution plan...> 2025-09-17 12:09:32,245 INFO [scheduling-9] [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] service(s) from cache [JsonServiceRegistry].> 2025-09-17 12:09:32,255 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] - <Unable to locate state definition [delegatedAuthentication] in flow [mfa-simple]> 2025-09-17 12:09:32,256 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - <[OidcWebflowConfigurer] could not find flow definition [account]. Available flow definition ids are [[clientredirect, login, logout, mfa-simple]]> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for warn cookie generator to: [/cas/]> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for cookies for TGC cookie generator to: [/cas/]> 2025-09-17 12:09:32,457 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service in context scope: [https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata]> 2025-09-17 12:09:32,459 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Locating metadata for entityID [https://localhost:8543/saml/metadata] by attempting to run through the metadata chain...> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [samlsp] at [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Locating cached metadata resolver using key [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] for service [samlsp]. Attempt [0]> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Resolved metadata chain from [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Located SP SSODescriptor in metadata for [https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> 2025-09-17 12:09:32,465 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Locating metadata for entityID [https://localhost:8543/saml/metadata] by attempting to run through the metadata chain...> 2025-09-17 12:09:32,467 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Resolving metadata for [samlsp] at [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] - <Locating cached metadata resolver using key [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] for service [samlsp]. Attempt [0]> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Resolved metadata chain from [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] - <Located SP SSODescriptor in metadata for [https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing registered service [https://localhost:8543/saml/metadata] with id [1003] in context scope> 2025-09-17 12:09:32,475 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - <Evaluating authentication policy [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], excludedAuthenticationHandlers=[], criteria=null)] for [samlsp]> 2025-09-17 12:09:32,870 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Setting path for cookies for distributed session cookie generator to: [/cas/]> 2025-09-17 12:09:32,890 DEBUG [tomcat-handler-10] [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - <Resolved single event [success] via [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] for this context> 2025-09-17 12:09:32,895 INFO [tomcat-handler-10] [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN ============================================================= WHEN: 2025-09-17T16:09:32.894204900 -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bec40f12-552e-46cd-8bd3-483d650251b8n%40apereo.org.
