This looks similar to what I encountered earlier and it affects "localhost" only. See another thread: SAML2 service 7.1.x and 7.2.x <https://groups.google.com/a/apereo.org/g/cas-user/c/k_8HqC91NXk>.
On Thursday, 18 September 2025 at 15:46:05 UTC-7 Yan Zhou wrote: > Hello, > > I have CAS 7.2.X war overlay, SAML authN seems broken in 7.2.4, it works > in 7.2.3. I have a simple Spring Boot client that uses SAML to authenticate > against CAS as server. > > With 7.2.4, i am getting Unauthorized App Error when Client app sends SAML > AuthN Request to CAS and redirect to CAS URL. this works in 7.2.3. > > I am listing CAS logs for the two different versions. I debugged through > the code, it does not seem obvious what maybe the problem in CAS code. > > Thanks, > Yan > > here is the log for 7.2.4, failed due to unauthorized error. > > > > 2025-09-17 12:05:22,847 DEBUG [tomcat-handler-7] > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > 2025-09-17 12:05:22,854 INFO [tomcat-handler-7] [PROTOCOL_MESSAGE] - < > ============================================================ > SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl > ============================================================ > <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; > Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; > ForceAuthn="false" ID="aehj5f5dbbg5i6i12df49c4gi38a84" IsPassive="false" > IssueInstant="2025-09-17T16:05:20.416Z" > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Version="2.0"> > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > https://localhost:8543/saml/metadata</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > .......... > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2p:NameIDPolicy > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> > </saml2p:AuthnRequest> > > ============================================================> > 2025-09-17 12:05:22,929 DEBUG [tomcat-handler-7] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Created service url [ > https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost... > ]> > 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Redirecting SAML authentication request to [ > https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata > ]> > 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Redirecting SAML authN request to [ > https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata > ]> > 2025-09-17 12:05:23,019 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to > [FlowHandlerMapping.DefaultFlowHandler@49ffbe04]> > 2025-09-17 12:05:23,026 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow > execution plan...> > 2025-09-17 12:05:23,103 INFO [scheduling-9] > [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] > service(s) from cache [JsonServiceRegistry].> > 2025-09-17 12:05:23,114 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] > - <Unable to locate state definition [delegatedAuthentication] in flow > [mfa-simple]> > 2025-09-17 12:05:23,115 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - > <[OidcWebflowConfigurer] could not find flow definition [account]. > Available flow definition ids are [[clientredirect, login, logout, > mfa-simple]]> > 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for > cookies for warn cookie generator to: [/cas/]> > 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for > cookies for TGC cookie generator to: [/cas/]> > 2025-09-17 12:05:23,333 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service > in context scope: [ > https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata > ]> > 2025-09-17 12:05:23,342 WARN [tomcat-handler-10] > [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - > <Unauthorized Service Access. Service [ > https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata] > > is not registered in the service registry. Review the service access > strategy to evaluate policies required for service access> > > here is the log for 7.2.3, working fine. > > 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] > [org.apereo.cas.support.saml.SamlUtils] - <Logging > [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl] > > [<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; > Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; > ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" > IssueInstant="2025-09-17T16:09:27.741Z" > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Version="2.0"> > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > https://localhost:8543/saml/metadata</saml2:Issuer> > ............. > </ds:Signature> > <saml2p:NameIDPolicy > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> > </saml2p:AuthnRequest> > ] > > > > 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] > [org.apereo.cas.support.saml.SamlUtils] - > <********************************************************************************> > 2025-09-17 12:09:32,001 INFO [tomcat-handler-9] [PROTOCOL_MESSAGE] - < > ============================================================ > SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl > ============================================================ > <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest > xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" > AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; > Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; > ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" > IssueInstant="2025-09-17T16:09:27.741Z" > ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > Version="2.0"> > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > https://localhost:8543/saml/metadata</saml2:Issuer> > .......................... > > <saml2p:NameIDPolicy > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> > </saml2p:AuthnRequest> > > ============================================================> > 2025-09-17 12:09:32,070 DEBUG [tomcat-handler-9] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Created service url [ > https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost... > ]> > 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Redirecting SAML authentication request to [ > https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata > ]> > 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] > [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] > > - <Redirecting SAML authN request to [ > https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata > ]> > 2025-09-17 12:09:32,158 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to > [FlowHandlerMapping.DefaultFlowHandler@4830d7e2]> > 2025-09-17 12:09:32,163 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Locating metadata for entityID [https://localhost:8543/saml/metadata] > by attempting to run through the metadata chain...> > 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Resolving metadata for [samlsp] at > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> > 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Locating cached metadata resolver using key > [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] > > for service [samlsp]. Attempt [0]> > 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Resolved metadata chain from > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] > > using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. > Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> > 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Located SP SSODescriptor in metadata for [ > https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> > 2025-09-17 12:09:32,169 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow > execution plan...> > 2025-09-17 12:09:32,245 INFO [scheduling-9] > [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] > service(s) from cache [JsonServiceRegistry].> > 2025-09-17 12:09:32,255 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] > - <Unable to locate state definition [delegatedAuthentication] in flow > [mfa-simple]> > 2025-09-17 12:09:32,256 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - > <[OidcWebflowConfigurer] could not find flow definition [account]. > Available flow definition ids are [[clientredirect, login, logout, > mfa-simple]]> > 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for > cookies for warn cookie generator to: [/cas/]> > 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for > cookies for TGC cookie generator to: [/cas/]> > 2025-09-17 12:09:32,457 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service > in context scope: [ > https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata > ]> > 2025-09-17 12:09:32,459 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Locating metadata for entityID [https://localhost:8543/saml/metadata] > by attempting to run through the metadata chain...> > 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Resolving metadata for [samlsp] at > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> > 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Locating cached metadata resolver using key > [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] > > for service [samlsp]. Attempt [0]> > 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Resolved metadata chain from > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] > > using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. > Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> > 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Located SP SSODescriptor in metadata for [ > https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> > 2025-09-17 12:09:32,465 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Locating metadata for entityID [https://localhost:8543/saml/metadata] > by attempting to run through the metadata chain...> > 2025-09-17 12:09:32,467 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Resolving metadata for [samlsp] at > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> > 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] > > - <Locating cached metadata resolver using key > [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] > > for service [samlsp]. Attempt [0]> > 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Resolved metadata chain from > [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] > > using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. > Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> > 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] > [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] > > - <Located SP SSODescriptor in metadata for [ > https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> > 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing > registered service [https://localhost:8543/saml/metadata] with id [1003] > in context scope> > 2025-09-17 12:09:32,475 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] > > - <Evaluating authentication policy > [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], > > excludedAuthenticationHandlers=[], criteria=null)] for [samlsp]> > 2025-09-17 12:09:32,870 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - > <Setting path for cookies for distributed session cookie generator to: > [/cas/]> > 2025-09-17 12:09:32,890 DEBUG [tomcat-handler-10] > [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - > <Resolved single event [success] via > [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] > > for this context> > 2025-09-17 12:09:32,895 INFO [tomcat-handler-10] > [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN > ============================================================= > WHEN: 2025-09-17T16:09:32.894204900 > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/67624c49-9460-4ccb-9cde-df416fc555a6n%40apereo.org.
