Adding this config seems to make it work with localhost: (I tested with 7.2.7) cas.http-client.allow-local-urls: true
On Sunday, 5 October 2025 at 19:20:20 UTC-4 Yan wrote: > Hi, > > thx so much! That pointed me to the right direction. > > Yan > > On Wed, Sep 24, 2025 at 1:49 PM Agus Santosa <[email protected]> wrote: > >> This looks similar to what I encountered earlier and it affects >> "localhost" only. >> See another thread: SAML2 service 7.1.x and 7.2.x >> <https://groups.google.com/a/apereo.org/g/cas-user/c/k_8HqC91NXk>. >> >> On Thursday, 18 September 2025 at 15:46:05 UTC-7 Yan Zhou wrote: >> >>> Hello, >>> >>> I have CAS 7.2.X war overlay, SAML authN seems broken in 7.2.4, it works >>> in 7.2.3. I have a simple Spring Boot client that uses SAML to authenticate >>> against CAS as server. >>> >>> With 7.2.4, i am getting Unauthorized App Error when Client app sends >>> SAML AuthN Request to CAS and redirect to CAS URL. this works in 7.2.3. >>> >>> I am listing CAS logs for the two different versions. I debugged through >>> the code, it does not seem obvious what maybe the problem in CAS code. >>> >>> Thanks, >>> Yan >>> >>> here is the log for 7.2.4, failed due to unauthorized error. >>> >>> > >>> 2025-09-17 12:05:22,847 DEBUG [tomcat-handler-7] >>> [org.apereo.cas.support.saml.SamlUtils] - >>> <********************************************************************************> >>> 2025-09-17 12:05:22,854 INFO [tomcat-handler-7] [PROTOCOL_MESSAGE] - < >>> ============================================================ >>> SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl >>> ============================================================ >>> <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >>> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >>> ForceAuthn="false" ID="aehj5f5dbbg5i6i12df49c4gi38a84" IsPassive="false" >>> IssueInstant="2025-09-17T16:05:20.416Z" >>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> Version="2.0"> >>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>> https://localhost:8543/saml/metadata</saml2:Issuer> >>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >>> .......... >>> </ds:X509Data> >>> </ds:KeyInfo> >>> </ds:Signature> >>> <saml2p:NameIDPolicy >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >>> </saml2p:AuthnRequest> >>> >>> ============================================================> >>> 2025-09-17 12:05:22,929 DEBUG [tomcat-handler-7] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Created service url [ >>> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost... >>> ]> >>> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Redirecting SAML authentication request to [ >>> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >>> ]> >>> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Redirecting SAML authN request to [ >>> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >>> ]> >>> 2025-09-17 12:05:23,019 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to >>> [FlowHandlerMapping.DefaultFlowHandler@49ffbe04]> >>> 2025-09-17 12:05:23,026 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow >>> execution plan...> >>> 2025-09-17 12:05:23,103 INFO [scheduling-9] >>> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] >>> service(s) from cache [JsonServiceRegistry].> >>> 2025-09-17 12:05:23,114 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] >>> >>> - <Unable to locate state definition [delegatedAuthentication] in flow >>> [mfa-simple]> >>> 2025-09-17 12:05:23,115 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - >>> <[OidcWebflowConfigurer] could not find flow definition [account]. >>> Available flow definition ids are [[clientredirect, login, logout, >>> mfa-simple]]> >>> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >>> cookies for warn cookie generator to: [/cas/]> >>> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >>> cookies for TGC cookie generator to: [/cas/]> >>> 2025-09-17 12:05:23,333 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service >>> in context scope: [ >>> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata >>> ]> >>> 2025-09-17 12:05:23,342 WARN [tomcat-handler-10] >>> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - >>> <Unauthorized Service Access. Service [ >>> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata] >>> >>> is not registered in the service registry. Review the service access >>> strategy to evaluate policies required for service access> >>> >>> here is the log for 7.2.3, working fine. >>> >>> 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] >>> [org.apereo.cas.support.saml.SamlUtils] - <Logging >>> [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl] >>> >>> [<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >>> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >>> ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" >>> IssueInstant="2025-09-17T16:09:27.741Z" >>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> Version="2.0"> >>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>> https://localhost:8543/saml/metadata</saml2:Issuer> >>> ............. >>> </ds:Signature> >>> <saml2p:NameIDPolicy >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >>> </saml2p:AuthnRequest> >>> ] >>> >>> > >>> 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] >>> [org.apereo.cas.support.saml.SamlUtils] - >>> <********************************************************************************> >>> 2025-09-17 12:09:32,001 INFO [tomcat-handler-9] [PROTOCOL_MESSAGE] - < >>> ============================================================ >>> SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl >>> ============================================================ >>> <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >>> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >>> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >>> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >>> ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" >>> IssueInstant="2025-09-17T16:09:27.741Z" >>> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >>> Version="2.0"> >>> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >>> https://localhost:8543/saml/metadata</saml2:Issuer> >>> .......................... >>> >>> <saml2p:NameIDPolicy >>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >>> </saml2p:AuthnRequest> >>> >>> ============================================================> >>> 2025-09-17 12:09:32,070 DEBUG [tomcat-handler-9] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Created service url [ >>> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost... >>> ]> >>> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Redirecting SAML authentication request to [ >>> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >>> ]> >>> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] >>> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >>> >>> - <Redirecting SAML authN request to [ >>> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >>> ]> >>> 2025-09-17 12:09:32,158 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to >>> [FlowHandlerMapping.DefaultFlowHandler@4830d7e2]> >>> 2025-09-17 12:09:32,163 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >>> by attempting to run through the metadata chain...> >>> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Resolving metadata for [samlsp] at >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >>> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Locating cached metadata resolver using key >>> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >>> >>> for service [samlsp]. Attempt [0]> >>> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Resolved metadata chain from >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >>> >>> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >>> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >>> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Located SP SSODescriptor in metadata for [ >>> https://localhost:8543/saml/metadata]. Metadata is valid until >>> [forever]> >>> 2025-09-17 12:09:32,169 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow >>> execution plan...> >>> 2025-09-17 12:09:32,245 INFO [scheduling-9] >>> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] >>> service(s) from cache [JsonServiceRegistry].> >>> 2025-09-17 12:09:32,255 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] >>> >>> - <Unable to locate state definition [delegatedAuthentication] in flow >>> [mfa-simple]> >>> 2025-09-17 12:09:32,256 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - >>> <[OidcWebflowConfigurer] could not find flow definition [account]. >>> Available flow definition ids are [[clientredirect, login, logout, >>> mfa-simple]]> >>> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >>> cookies for warn cookie generator to: [/cas/]> >>> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >>> cookies for TGC cookie generator to: [/cas/]> >>> 2025-09-17 12:09:32,457 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service >>> in context scope: [ >>> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata >>> ]> >>> 2025-09-17 12:09:32,459 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >>> by attempting to run through the metadata chain...> >>> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Resolving metadata for [samlsp] at >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >>> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Locating cached metadata resolver using key >>> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >>> >>> for service [samlsp]. Attempt [0]> >>> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Resolved metadata chain from >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >>> >>> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >>> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >>> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Located SP SSODescriptor in metadata for [ >>> https://localhost:8543/saml/metadata]. Metadata is valid until >>> [forever]> >>> 2025-09-17 12:09:32,465 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >>> by attempting to run through the metadata chain...> >>> 2025-09-17 12:09:32,467 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Resolving metadata for [samlsp] at >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >>> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >>> >>> - <Locating cached metadata resolver using key >>> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >>> >>> for service [samlsp]. Attempt [0]> >>> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Resolved metadata chain from >>> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >>> >>> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >>> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >>> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >>> >>> - <Located SP SSODescriptor in metadata for [ >>> https://localhost:8543/saml/metadata]. Metadata is valid until >>> [forever]> >>> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing >>> registered service [https://localhost:8543/saml/metadata] with id >>> [1003] in context scope> >>> 2025-09-17 12:09:32,475 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] >>> >>> - <Evaluating authentication policy >>> [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >>> >>> excludedAuthenticationHandlers=[], criteria=null)] for [samlsp]> >>> 2025-09-17 12:09:32,870 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - >>> <Setting path for cookies for distributed session cookie generator to: >>> [/cas/]> >>> 2025-09-17 12:09:32,890 DEBUG [tomcat-handler-10] >>> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - >>> <Resolved single event [success] via >>> [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] >>> >>> for this context> >>> 2025-09-17 12:09:32,895 INFO [tomcat-handler-10] >>> [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN >>> ============================================================= >>> WHEN: 2025-09-17T16:09:32.894204900 >>> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c5105e9c-ed93-4d53-9aac-1fba3f13231cn%40apereo.org.
