Hi Ray and thank you for your answer. Yes, what you say is correct. This situation happens when the session expires on my client application and the client application redirects to the cas server. During this redirect the Cas Client always sends the complete service url.
Sometime the user leaves the browser open and inactive for many hours, so the TGC remains in the browser (cookie on memory as default) but the TGT is expired. It's only in this situatution that we loose the service parameter and have a clean one. Maybe we have to set the maxAge for the TGC? Now we have the parameters for TGC and TGT cas.tgc.maxAge=-1 cas.ticket.tgt.timeToKillInSeconds=30800 cas.ticket.tgt.maxTimeToLiveInSeconds=30800 cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=30800 cas.ticket.tgt.hardTimeout.timeToKillInSeconds=30800 Thanks! Riccardo Il giorno lunedì 11 marzo 2019 16:45:49 UTC+1, rbon ha scritto: > > Riccardo, > > The ticket granting ticket destroyed is the result of the stale session. > Your browser has a TGC from the old session and sends it to CAS. CAS finds > the expired TGT and discards it from the ticket store. CAS then initiates > an new log in flow. > > Check that your client application is sending the correct return URL on > expired session (your client may also have an expired session). > > Ray > > On Sun, 2019-03-10 at 23:41 -0700, Riccardo Saponi wrote: > > Hi everyone! > > we would like to have some support about this event in login webflow > > TICKET_GRANTING_TICKET_DESTROYED > > We have CAS 5.1.3 with a SAML delegation to another IDP and some web > applications that are using CAS as SSO provider. > In some case, when the user leave the browser open and inactive for many > hours (e.g. the night), we got the event TICKET_GRANTING_TICKET_DESTROYED > during the login webflow. This event seems to loose the original service of > the web-app we used to call the Cas. We saw this event before SAML IDP is > called. > > After the login on the IDP SAML the user is redirect on the success page > of the CAS, instead of the initial service page. Our Cas version is 5.1.3. > Anyone knows if this behaviour is correct or is a bug. We have default > configurations on TGT and ST duration on cas.properties. > We have look for any documentation about the event > TICKET_GRANTING_TICKET_DESTROYED > but with no success. > > > This an example of cas_audit.log with wrong login web-flow. > > 2019-03-08 05:33:21,073 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [event=success,timestamp=Fri Mar 08 05:33:21 CET > 2019,source=RankedAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:21 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > *2019-03-08 05:33:21,076 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN* > *=============================================================* > *WHO: audit:unknown* > *WHAT: > TGT-**************************************************9yyIGd5HwW-cascredem* > *ACTION: TICKET_GRANTING_TICKET_DESTROYED* > *APPLICATION: CAS* > *WHEN: Fri Mar 08 05:33:21 CET 2019* > *CLIENT IP ADDRESS: 82.185.105.200* > *SERVER IP ADDRESS: 10.132.0.5* > *=============================================================* > > > 2019-03-08 05:33:24,948 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT01097 > WHAT: Supplied credentials: > [org.apereo.cas.authentication.principal.ClientCredential@578b862c[id=UT01097]] > > (return of SAML IDP) > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:24 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 05:33:24,955 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT01097 > WHAT: > TGT-**************************************************XGzd4xOnGb-cascredem > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:24 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > 2019-03-08 05:33:25,521 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [event=success,timestamp=Fri Mar 08 05:33:25 CET > 2019,source=InitialAuthenticationAttemptWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:25 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 05:33:25,533 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT01097 > *WHAT: ST-75355-2etLNdlkQtnkmDSq2DGd-cascredem for > https://myhostname/c/portal/login <https://myhostname/c/portal/login> > whitout service!* > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:25 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 05:33:25,738 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT01097 > WHAT: ST-75355-2etLNdlkQtnkmDSq2DGd-cascredem > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Fri Mar 08 05:33:25 CET 2019 > CLIENT IP ADDRESS: 10.132.0.7 > SERVER IP ADDRESS: 10.132.0.6 > ============================================================= > > > > This an example of cas_aufit.log with correct login webflow (you can see > the original service and there is not a > *TICKET_GRANTING_TICKET_DESTROYED *event) > > 2019-03-08 04:15:13,897 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: [event=success,timestamp=Fri Mar 08 04:15:13 CET > 2019,source=RankedAuthenticationProviderWebflowEventResolver] > ACTION: AUTHENTICATION_EVENT_TRIGGERED > APPLICATION: CAS > WHEN: Fri Mar 08 04:15:13 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 04:15:18,663 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT0A011 > WHAT: Supplied credentials: > [org.apereo.cas.authentication.principal.ClientCredential@3126759e[id=UT0A011]] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Fri Mar 08 04:15:18 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 04:15:18,673 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT0A011 > WHAT: > TGT-**************************************************pBoZWWSfQ6-cascredem > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Mar 08 04:15:18 CET 2019 > CLIENT IP ADDRESS: 82.185.105.200 > SERVER IP ADDRESS: 10.132.0.5 > ============================================================= > > > 2019-03-08 04:15:18,688 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT0A011 > *WHAT: ST-75348-AAc95fO7MjnEmpjFeJbE-cascredem for > https://myhostname/c/portal/login?redirect=%2Fgroup%2Fguest%2Fdocumenti%3Ffiltro1%3Dtipodoc%26filtro1val%3Doggetti%26filtro2%3Dtitle%26filtro2val%3DTool%2520People%26open%3Dtrue%26utm_source%3Dintranet&p_l_id=212 > > <https://myhostname/c/portal/login?redirect=%2Fgroup%2Fguest%2Fdocumenti%3Ffiltro1%3Dtipodoc%26filtro1val%3Doggetti%26filtro2%3Dtitle%26filtro2val%3DTool%2520People%26open%3Dtrue%26utm_source%3Dintranet&p_l_id=212>* > 80 > ACTION: SERVICE_TICKET_CREATED > APPLICATION: CAS > WHEN: Fri Mar 08 04:15:18 CET 2019 > > 2019-03-08 04:15:18,926 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit > trail record BEGIN > ============================================================= > WHO: UT0A011 > WHAT: ST-75348-AAc95fO7MjnEmpjFeJbE-cascredem > ACTION: SERVICE_TICKET_VALIDATED > APPLICATION: CAS > WHEN: Fri Mar 08 04:15:18 CET 2019 > CLIENT IP ADDRESS: 127.0.0.1 > SERVER IP ADDRESS: 127.0.0.1 > ============================================================= > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca <javascript:> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c01b5116-f239-4c07-a6bf-a1ad033cfc72%40apereo.org.
