Hi, thx so much! That pointed me to the right direction.
Yan On Wed, Sep 24, 2025 at 1:49 PM Agus Santosa <[email protected]> wrote: > This looks similar to what I encountered earlier and it affects > "localhost" only. > See another thread: SAML2 service 7.1.x and 7.2.x > <https://groups.google.com/a/apereo.org/g/cas-user/c/k_8HqC91NXk>. > > On Thursday, 18 September 2025 at 15:46:05 UTC-7 Yan Zhou wrote: > >> Hello, >> >> I have CAS 7.2.X war overlay, SAML authN seems broken in 7.2.4, it works >> in 7.2.3. I have a simple Spring Boot client that uses SAML to authenticate >> against CAS as server. >> >> With 7.2.4, i am getting Unauthorized App Error when Client app sends >> SAML AuthN Request to CAS and redirect to CAS URL. this works in 7.2.3. >> >> I am listing CAS logs for the two different versions. I debugged through >> the code, it does not seem obvious what maybe the problem in CAS code. >> >> Thanks, >> Yan >> >> here is the log for 7.2.4, failed due to unauthorized error. >> >> > >> 2025-09-17 12:05:22,847 DEBUG [tomcat-handler-7] >> [org.apereo.cas.support.saml.SamlUtils] - >> <********************************************************************************> >> 2025-09-17 12:05:22,854 INFO [tomcat-handler-7] [PROTOCOL_MESSAGE] - < >> ============================================================ >> SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl >> ============================================================ >> <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >> ForceAuthn="false" ID="aehj5f5dbbg5i6i12df49c4gi38a84" IsPassive="false" >> IssueInstant="2025-09-17T16:05:20.416Z" >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Version="2.0"> >> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> https://localhost:8543/saml/metadata</saml2:Issuer> >> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> .......... >> </ds:X509Data> >> </ds:KeyInfo> >> </ds:Signature> >> <saml2p:NameIDPolicy >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >> </saml2p:AuthnRequest> >> >> ============================================================> >> 2025-09-17 12:05:22,929 DEBUG [tomcat-handler-7] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Created service url [ >> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost... >> ]> >> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Redirecting SAML authentication request to [ >> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >> ]> >> 2025-09-17 12:05:22,931 DEBUG [tomcat-handler-7] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Redirecting SAML authN request to [ >> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Daehj5f5dbbg5i6i12df49c4gi38a84%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >> ]> >> 2025-09-17 12:05:23,019 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to >> [FlowHandlerMapping.DefaultFlowHandler@49ffbe04]> >> 2025-09-17 12:05:23,026 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow >> execution plan...> >> 2025-09-17 12:05:23,103 INFO [scheduling-9] >> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] >> service(s) from cache [JsonServiceRegistry].> >> 2025-09-17 12:05:23,114 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] >> - <Unable to locate state definition [delegatedAuthentication] in flow >> [mfa-simple]> >> 2025-09-17 12:05:23,115 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - >> <[OidcWebflowConfigurer] could not find flow definition [account]. >> Available flow definition ids are [[clientredirect, login, logout, >> mfa-simple]]> >> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >> cookies for warn cookie generator to: [/cas/]> >> 2025-09-17 12:05:23,330 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >> cookies for TGC cookie generator to: [/cas/]> >> 2025-09-17 12:05:23,333 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service >> in context scope: [ >> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata >> ]> >> 2025-09-17 12:05:23,342 WARN [tomcat-handler-10] >> [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - >> <Unauthorized Service Access. Service [ >> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=aehj5f5dbbg5i6i12df49c4gi38a84&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata] >> is not registered in the service registry. Review the service access >> strategy to evaluate policies required for service access> >> >> here is the log for 7.2.3, working fine. >> >> 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] >> [org.apereo.cas.support.saml.SamlUtils] - <Logging >> [org.opensaml.saml.saml2.core.impl.AuthnRequestImpl] >> >> [<?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >> ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" >> IssueInstant="2025-09-17T16:09:27.741Z" >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Version="2.0"> >> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> https://localhost:8543/saml/metadata</saml2:Issuer> >> ............. >> </ds:Signature> >> <saml2p:NameIDPolicy >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >> </saml2p:AuthnRequest> >> ] >> >> > >> 2025-09-17 12:09:31,992 DEBUG [tomcat-handler-9] >> [org.apereo.cas.support.saml.SamlUtils] - >> <********************************************************************************> >> 2025-09-17 12:09:32,001 INFO [tomcat-handler-9] [PROTOCOL_MESSAGE] - < >> ============================================================ >> SAML org.opensaml.saml.saml2.core.impl.AuthnRequestImpl >> ============================================================ >> <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest >> xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" >> AssertionConsumerServiceURL="https://localhost:8543/saml/SSO"; >> Destination="https://localhost:8743/cas/idp/profile/SAML2/POST/SSO"; >> ForceAuthn="false" ID="a5af4e8dia2h4216478632h1b086c6" IsPassive="false" >> IssueInstant="2025-09-17T16:09:27.741Z" >> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" >> Version="2.0"> >> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> >> https://localhost:8543/saml/metadata</saml2:Issuer> >> .......................... >> >> <saml2p:NameIDPolicy >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/> >> </saml2p:AuthnRequest> >> >> ============================================================> >> 2025-09-17 12:09:32,070 DEBUG [tomcat-handler-9] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Created service url [ >> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost... >> ]> >> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Redirecting SAML authentication request to [ >> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >> ]> >> 2025-09-17 12:09:32,072 DEBUG [tomcat-handler-9] >> [org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController] >> - <Redirecting SAML authN request to [ >> https://localhost:8743/cas/login?service=https%3A%2F%2Flocalhost%3A8743%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3Fsrid%3Da5af4e8dia2h4216478632h1b086c6%26entityId%3Dhttps%253A%252F%252Flocalhost%253A8543%252Fsaml%252Fmetadata >> ]> >> 2025-09-17 12:09:32,158 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to >> [FlowHandlerMapping.DefaultFlowHandler@4830d7e2]> >> 2025-09-17 12:09:32,163 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >> by attempting to run through the metadata chain...> >> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Resolving metadata for [samlsp] at >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >> 2025-09-17 12:09:32,165 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Locating cached metadata resolver using key >> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >> for service [samlsp]. Attempt [0]> >> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Resolved metadata chain from >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >> 2025-09-17 12:09:32,166 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Located SP SSODescriptor in metadata for [ >> https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> >> 2025-09-17 12:09:32,169 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.CasFlowHandlerAdapter] - <Configuring CAS webflow >> execution plan...> >> 2025-09-17 12:09:32,245 INFO [scheduling-9] >> [org.apereo.cas.services.mgmt.AbstractServicesManager] - <Loaded [3] >> service(s) from cache [JsonServiceRegistry].> >> 2025-09-17 12:09:32,255 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.configurer.AbstractCasMultifactorWebflowConfigurer] >> - <Unable to locate state definition [delegatedAuthentication] in flow >> [mfa-simple]> >> 2025-09-17 12:09:32,256 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer] - >> <[OidcWebflowConfigurer] could not find flow definition [account]. >> Available flow definition ids are [[clientredirect, login, logout, >> mfa-simple]]> >> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >> cookies for warn cookie generator to: [/cas/]> >> 2025-09-17 12:09:32,454 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Setting path for >> cookies for TGC cookie generator to: [/cas/]> >> 2025-09-17 12:09:32,457 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing service >> in context scope: [ >> https://localhost:8743/cas/idp/profile/SAML2/Callback?srid=a5af4e8dia2h4216478632h1b086c6&entityId=https%3A%2F%2Flocalhost%3A8543%2Fsaml%2Fmetadata >> ]> >> 2025-09-17 12:09:32,459 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >> by attempting to run through the metadata chain...> >> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Resolving metadata for [samlsp] at >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >> 2025-09-17 12:09:32,461 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Locating cached metadata resolver using key >> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >> for service [samlsp]. Attempt [0]> >> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Resolved metadata chain from >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >> 2025-09-17 12:09:32,462 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Located SP SSODescriptor in metadata for [ >> https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> >> 2025-09-17 12:09:32,465 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Locating metadata for entityID [https://localhost:8543/saml/metadata] >> by attempting to run through the metadata chain...> >> 2025-09-17 12:09:32,467 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Resolving metadata for [samlsp] at >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml]> >> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceDefaultCachingMetadataResolver] >> - <Locating cached metadata resolver using key >> [f9e5132b7e2b93144b67bb2a6fecf673b0f63d32a8fdf68b6677a3d1bc4e4e671e8dc67697d9e495825f94d1b078b229619cf145d485a241a91ef28cbfdb31d7] >> for service [samlsp]. Attempt [0]> >> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Resolved metadata chain from >> [file:///D:/installedApps/tools/casconfig/sp-metadata/springsp_saml_metadata.xml] >> using [org.opensaml.saml.metadata.resolver.ChainingMetadataResolver]. >> Filtering the chain by entity ID [https://localhost:8543/saml/metadata]> >> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >> [org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceMetadataAdaptor] >> - <Located SP SSODescriptor in metadata for [ >> https://localhost:8543/saml/metadata]. Metadata is valid until [forever]> >> 2025-09-17 12:09:32,468 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - <Placing >> registered service [https://localhost:8543/saml/metadata] with id [1003] >> in context scope> >> 2025-09-17 12:09:32,475 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] >> - <Evaluating authentication policy >> [DefaultRegisteredServiceAuthenticationPolicy(requiredAuthenticationHandlers=[], >> excludedAuthenticationHandlers=[], criteria=null)] for [samlsp]> >> 2025-09-17 12:09:32,870 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - >> <Setting path for cookies for distributed session cookie generator to: >> [/cas/]> >> 2025-09-17 12:09:32,890 DEBUG [tomcat-handler-10] >> [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - >> <Resolved single event [success] via >> [org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver] >> for this context> >> 2025-09-17 12:09:32,895 INFO [tomcat-handler-10] >> [org.apereo.inspektr.audit.AuditTrailManager] - <Audit trail record BEGIN >> ============================================================= >> WHEN: 2025-09-17T16:09:32.894204900 >> > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZe%3DsbsLZ6t2K5VwLCrpbYrjd%3DALRQdtQ1BYh0MAHNHeO3g%40mail.gmail.com.
