loggers:
Ray
From: Jeremiah Garmatter
Sent: July 29, 2025 05:29
To: CAS Community
Cc: Ray Bon
Subject: Re: [cas-user] SAML2 IdP Error
New development: One of our users experienced the SAML2 error from our internal
network. The
p.core.session-replication.cookie.crypto.encryption.key=>>>
>>>> encryption key>
>>>> The values are replicated across each host in the cluster.
>>>>
>>>>
>>>> On Friday, June 27, 2025 at 3:25:25 PM UTC-4 Ray Bon wrote:
>>
t; The values are replicated across each host in the cluster.
>>>
>>>
>>> On Friday, June 27, 2025 at 3:25:25 PM UTC-4 Ray Bon wrote:
>>>
>>>> Jeremiah,
>>>>
>>>> Do you have a session-replication.cookie configured?
>>>>
o you have a session-replication.cookie configured?
>>>
>>> https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html
>>> under
>>> Signing & Encryption tab
>>>
>>>
>>> Ray
>>> ---
ured?
>>
>> https://apereo.github.io/cas/7.2.x/authentication/Configuring-SAML2-Authentication.html
>> under
>> Signing & Encryption tab
>>
>>
>> Ray
>> ----------
>> *From:* 'Jeremiah Garmatter' via CAS Commu
Ray
From: Jeremiah Garmatter
Sent: June 30, 2025 10:54
To: CAS Community
Cc: Ray Bon
Subject: Re: [cas-user] SAML2 IdP Error
I tracked down some more info in the CAS logs.
During the affected users' login process, I see these messages:
Jun 30 13:16:17 REDACTED_SERVER Jun 3
-
> *From:* 'Jeremiah Garmatter' via CAS Community
> *Sent:* June 27, 2025 10:59
> *To:* CAS Community
> *Subject:* [cas-user] SAML2 IdP Error
>
> Hello,
>
> I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2
>
2025 10:59
To: CAS Community
Subject: [cas-user] SAML2 IdP Error
Hello,
I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2 support.
I have a strange issue.
Most users can log in to SAML2 services without any trouble, however, some
users receive an error every time they attemp
Hello,
I run CAS 7.2.1 in a cluster with Hazelcast ticket registry and SAML2
support. I have a strange issue.
Most users can log in to SAML2 services without any trouble, however, some
users receive an error every time they attempt a login.
See attachment for the error message.
The majority of u
12:14
To: CAS Community
Cc: Matias Arga?araz
Subject: [cas-user] SAML2 IdP error after upgrading to 7+
Good afternoon, we have an error when trying to authenticate using SAML
protocol after upgrading to version 7+,
[Captura.PNG]
(the full error log is at the bottom of the post)
About our current
Good afternoon, we have an error when trying to authenticate using SAML
protocol after upgrading to version 7+,
[image: Captura.PNG]
(the full error log is at the bottom of the post)
About our current setup:
We are using CAS version 6.6.13 deployed in an environment with multiple
instances (k
7.0.x/protocol/Protocol-Overview.html and the
links therein to understand how the various protocols work.
Ray
From: cas-user@apereo.org on behalf of Essey T
Sent: 24 July 2024 20:25
To: cas-user@apereo.org
Subject: Re: [cas-user] Saml2
You don't often get
> not on a users device.
>
> Ray
> --
> *From:* cas-user@apereo.org on behalf of Jesse <
> jessetez...@gmail.com>
> *Sent:* 24 July 2024 15:36
> *To:* CAS Community
> *Subject:* [cas-user] Saml2
>
> You don't often get em
party to handle the response from cas.
The SP is typically associated with the application(s) being protected, not on
a users device.
Ray
From: cas-user@apereo.org on behalf of Jesse
Sent: 24 July 2024 15:36
To: CAS Community
Subject: [cas-user] Saml2
You don&#
We are trying to use cas as IDP and IOS app as ServiceProvider and we want
to land from ios app(has ServiceTicket) to safari(web application) without
login using saml2. Is there a way to handle this? We came up with getting
saml request from ios to cas and getting saml response back but saml
re
Hello Ray,
Indeed, that was all. Sorry for bothering you for so little and thank you
for your help.
Have a great day.
Le jeu. 2 mai 2024 à 01:01, Ray Bon a écrit :
> Are you missing service-provider-metadata-path?
>
> Ray
>
> On Wed, 2024-05-01 at 20:20 +0200, wouldsmina wrote:
>
> Notice: This
Are you missing service-provider-metadata-path?
Ray
On Wed, 2024-05-01 at 20:20 +0200, wouldsmina wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Hello,
I want to use SAML2 Delegated Authenticat
Hello,
I want to use SAML2 Delegated Authentication as explained in this
documentation :
https://fawnoos.com/2023/10/04/cas66-delegate-authn-saml2-idp/
Unfortunately, I'm encountering an error upon restarting the Tomcat service:
Xavier,
The form of testImplementation is just a different way to write the same thing
as you have for implementation.
It may be that some SAML config needs the person directory. It is ok to include
it.
Ray
On Wed, 2024-04-03 at 05:49 -0700, Xavier Rodríguez wrote:
Notice: This message was sen
Hi,
Thanks for your responses!
After analize the CAS-6.4.6.6 code I have found that the bean that causes
my problem is created in
*org.apereo.cas.config.CasPersonDirectoryConfiguration*.
Then, when I add in my build.gradle:
implementation "org.apereo.cas:cas-server-support-person-directory:${
Hello,
I have a working instance with :
In addition,
cas.server.prefix
cas.server.scope
cas.server.name
And
implementation "org.apereo.cas:cas-server-support-saml:${project.'
cas.version'}"
But I think it s not required because it s for saml1
Le ven. 22 mars 2024 à 14:09, Xavier Rodríguez a
Xavier,
The property names may have changed (your version is old).
Maybe search this blog, https://fawnoos.com/blog/
Ray
On Fri, 2024-03-22 at 06:02 -0700, Xavier Rodríguez wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links a
And you should also add the attribute definitions :
cas.authn.attribute-repository.*
These attaributes mapping will be added in the saml2 response claims
Le ven. 22 mars 2024 à 15:43, Mohamed Amdouni a
écrit :
> Hello,
>
> I have a working instance with :
>
> In addition,
> cas.server.prefix
Hello,
I'm not familiar with SAML 2.0 and I need to set up our CAS 6.4.6.6 with
SAML2 protocol. Our CAS uses Oauth2 + CAS protocol. Now, we need to add
this protocol.
Folowing the documentation:
https://apereo.github.io/cas/6.6.x/authentication/Configuring-SAML2-Authentication.html
I've added
CAS: 6.6.x
When using the file system to store IDP Metadata we have a successful flow
for SAML2
When we try to store the IDP Metadata on Mongo we get different kind of
errors. Of course all have to do with signing and encryption keys.
CAS is able to communicate with Mongo and successfully create t
CAS: 6.6.x
When using the file system to store IDP Metadata we have a successful flow
for SAML2
When we try to store the IDP Metadata on Mongo we get different kind of
errors. Of course all have to do with signing and encryption keys.
CAS is able to communicate with Mongo and successfully creat
James,
>From your first link, it looks like you set it in the service definition.
The signing algorithm is in the SAML payload. To see it, install a tool like
samltracer in your browser.
Ray
On Thu, 2022-03-17 at 06:25 -0700, JC wrote:
Notice: This message was sent from outside the University o
Hello everyone,
I am hoping that someone can answer my question regarding CAS' signing
algorithms. We are running CAS 6.1.x, and one of our SPs (Barnes and
Noble's AIP) has informed us that they now support SHA256 as a signing
algorithm, and want us to switch their service over to it.
I have l
Hi,
I'm wondering if anyone has used this feature?
https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml2-identity-provider-discovery
I assume you point CAS at a resource with:
cas.authn.pac4j.saml-discovery.resource[0].location=file:/etc/cas/config/json-feed.json
a
lpful!
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GE
...@regent.edu
757.619.3421
From: cas-user@apereo.org on behalf of Keith Alston
(Staff)
Sent: Monday, April 19, 2021 3:36 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Hmmm, metadata expired. So I changed the
d on the provided
signature
Keith Alston
Regent University
IT Department
keit...@regent.edu
757.619.3421
From: 'Richard Frovarp' via CAS Community
Sent: Monday, April 19, 2021 2:19 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 reque
:35 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Keith,
The destination URLs are different, cas and casdev.
Is minitab routing to cas or casdev and is your service defined there?
Ray
On Mon, 2021-04-19 at 17:26 +, Keith Alston (Staff
"@class" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleaseP
ss" :
"org.apereo.cas.services.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
&qu
ices.PrincipalAttributeRegisteredServiceUsernameProvider",
"usernameAttribute" : "emailAddress",
},
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" :
nt: Monday, April 19, 2021 12:49 PM
To: cas-user@apereo.org
Subject: [External] Re: [cas-user] SAML2 request POST vs GET CAS 5.3.14??
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and R
Since I saw someone create the URL by hand the other day, I'm going to ask the
simple question: is the request hitting the HTTP-POST binding location? POST
and Redirect are two different URLs in CAS (and I'm guessing most IdPs).
I've never had to do anything different to handle the two different
It seems that my CAS SAML2.0 idp is handling SAML2 services that do GET
requests just fine.
But when I have an SP that does a SAML2 POST request my idp is not reading the
parameters
and I get the "Application Not Authorized to Use CAS" message instead of the
auth page. Difference being
parameter
Hi, I have discovered yet another bug in SAML2 support in 6.3.4-SNAPSHOT
and 6.4.0-SNAPSHOT.
It looks like SamlIdPMetadataResolver is provided with cas url instead of
entityId while resolving signing credentials.
cas_1 | TRACE [org.apereo.cas.support.saml.SamlUtils] Attempting to create
SAMLObj
Michele,
Are you saying that this service will periodically send the user back to cas to
get updated attributes/re-authenticate (that is the service has a very short
session, say 20m)?
Perhaps you could turn off attribute caching,
https://apereo.github.io/cas/6.2.x/integration/Attribute-Releas
Hello.
I'm using cas 5.3, succesfully configured it with SAML2 support.
For every service I have a specialized groovy script that rewire the
attributes for the specific endpoint.
Until now the authentication query gave me all I needed to build SAML2. The
authentication query is done via Sql (
Hello,
I am configuring a CAS V5.3.x with SAML to delegate authentication to an
IDP.
The IDP uses the relayState to determine if the person has access to the
resource.
However, the relayState contains the TST ticket and not the URL of the
resource.
Is it possible to change this behavior via c
I'm glad that helped. It took us some time to figure out it wasn't a CAS issue
when we first came across it.
From: "Michael Daley"
To: "cas-user"
Sent: Thursday, April 2, 2020 1:27:08 PM
Subject: Re: [External]:Re: [cas-user] SAML2 HTTP-POST binding URL too
ael Daley"
> *To: *"CAS Community"
> *Sent: *Thursday, April 2, 2020 11:43:47 AM
> *Subject: *[cas-user] SAML2 HTTP-POST binding URL too long? 400 Bad
> Request
>
> Hi,
> A vendor (gartner) performing an sp-initiated SSO to our HTTP-POST binding
> in unab
email.
Are you behind a proxy server? I've had a similar issue due to our Nginx proxy
blocking the request.
Thanks,
Mike
From: "Michael Daley"
To: "CAS Community"
Sent: Thursday, April 2, 2020 11:43:47 AM
Subject: [cas-user] SAML2 HTTP-
Are you behind a proxy server? I've had a similar issue due to our Nginx proxy
blocking the request.
Thanks,
Mike
From: "Michael Daley"
To: "CAS Community"
Sent: Thursday, April 2, 2020 11:43:47 AM
Subject: [cas-user] SAML2 HTTP-POST binding URL too long?
Hi,
A vendor (gartner) performing an sp-initiated SSO to our HTTP-POST binding
in unable to complete the authentication webflow. The url that CAS send's
the user to on the login page is over 3900 characters long, and appears to
cause a browser error. We get 400 - Bad Request when clicking on "s
When using a SAML2 service in CAS the theme attribute doesn't seem to be
respected. The theme settings work for our CAS entries. Using both CAS 5.1
and 5.3.
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"attributeReleasePolicy": {
"@class":
"org.ap
Yes, thank you for the update. After spending 2 days, I stumbled on this
and then tried RC4 and it worked as expected.
On Thursday, 17 October 2019 13:08:26 UTC-4, mohamed gamal wrote:
>
> The same error also exists in rc5, rc4 is working fine.
>
> On Thu, 17 Oct 2019, 3:03 pm M. Daley, >
> wro
The same error also exists in rc5, rc4 is working fine.
On Thu, 17 Oct 2019, 3:03 pm M. Daley, wrote:
> When running a fresh install of CAS 6.1.0-RC6 I receive the following
> error after authentication using SAML2.
>
> 2019-10-16 16:22:46,244 ERROR [org.apache.catalina.core.ContainerBase.[
> To
When running a fresh install of CAS 6.1.0-RC6 I receive the following error
after authentication using SAML2.
2019-10-16 16:22:46,244 ERROR [org.apache.catalina.core.ContainerBase.[
Tomcat].[localhost].[/cas].[dispatcherServlet]] -
org.apache.velocity.exception.ResourceNotFoundException: Unabl
Hi folks,
Is there a way to support the IDP-initiated mode with the pac4j client ?
or any other client ? (IDP-initiated mode is an Auth Request comming
directly from an IDP without going through the CAS server before, this
mode set all url params needed like the entityID and the targeted servi
Hi All, I have some trouble with SAML2 SLO.
It seems that my IdP CAS 5.2.X does not provide any SAML logout response
to the SP sending SLO request to it.
What am I missing? Is there any particular configuration to be provided?
Does not CAS IdP support SP initiated?
Thank you in advance for
From: "Richard Frovarp"
To: "cas-user"
Sent: Thursday, October 26, 2017 2:21:58 PM
Subject: [cas-user] SAML2 NotOnOrAfter issues
We're having problems with a vendor using SAML2. They are rejecting the
message because the NotOnOrAfter time has been surpassed. Looking at the
fu
We're having problems with a vendor using SAML2. They are rejecting the
message because the NotOnOrAfter time has been surpassed. Looking at the
full message they sent me, it looks like a bug?
https://ndsu.kanbantool.com/saml/complete\";
ID=\"_3256076461702895080\"
InResponseTo=\"_b129e75e-067b
Hi All, is there a way to skip HTTP redirect deflate encoder working
with SAML2 delegated authentiation?
My CAS installation is based on 5.2.0-RC3.
Please, let me know.
BR,
F.
--
Fabio Martelli
https://it.linkedin.com/pub/fabio-martelli/1/974/a44
http://blog.tirasa.net/author/fabio/index.htm
Hello,
I am trying to setup SAML auth on CAS 5.1.3 server using the
cas-services-management-overlay. I am trying to authenticate using
testshib.org as a Service Provider.
This is using the built-in tomcat container and is running on RHEL 7 behind
HAProxy using the non-ssl CAS endpoint.
Loggin
Hi All, it seems there is a bug about Metadata UI info parsing.
Shortly, in SamlMetadataUIInfo, the methos getDisplayNames return a
Collection of String by using getStringValues method explicitly.
Unfortunately, the method to retrieve the localized display name
getDisplayName is leveraging on
Hi all,
I want to know if it's possible to enable metadata signature with CAS
acting as a SAML2 Identity Provider ?
With Spring-security it can be achieve with
ExtendedMetadata.setSignMetadata method, but I didn't find any use of this
class in CAS source code (I use 5.0.0 version)
Thanks in adva
Hi everyone !
I have a CAS v4.2 server with SAML v2.0 delegation configured. I have many
SP connected to this CAS server that delegates the authentication to an
external SAML v2.0 IdP. It works correctly for the SSO, but is there a way
to configure the SLO properly ? My SP are correctly loggued
File an issue please; include all details.
From: "kaphael"
To: "CAS Community"
Sent: Tuesday, October 18, 2016 6:27:01 PM
Subject: [cas-user] SAML2 support
Hi,
I'm using CAS 5.0.0.RC3-SNAPSHOT with SAML2 support.
Since this version I got an
Hi,
I'm using CAS 5.0.0.RC3-SNAPSHOT with SAML2 support.
Since this version I got an issue with authentication (authentication works
with RC1).
I think the issue comes from these
lines(cas/support/cas-server-support-saml-idp/src/main/java/org/apereo/cas/support/saml/web/idp/profile/builders/e
When i turn on the SAML2 i see these error in crt files and SSL handshake
exception when using the SP to test the SAML2 feature . What am i doing
wrong
Error: javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No name matching
domaincas5.domain.edu found
c:\cas>k
64 matches
Mail list logo
