Hi, Did you configure the clustering for the SAML server support?
- cas.authn.saml-idp.core.session-storage-type=HTTP Indicates whether saml requests, and other session data, collected as part of SAML flows and requests that are kept by the container http session, local storage, or should be replicated across the cluster. Available values are as follows: - HTTP: Saml requests, and other session data collected as part of SAML flows and requests are kept in the http servlet session that is local to the server. - BROWSER_SESSION_STORAGE: Saml requests, and other session data collected as part of SAML flows and requests are kept in the client browser's session storage, signed and encrypted. SAML2 interactions require client-side read/write operations to restore the session from the browser. - TICKET_REGISTRY: Saml requests, and other session data collected as part of SAML flows and requests are tracked as CAS tickets in the registry and replicated across the entire cluster as tickets. Thanks. Best regards, Jérôme Le lun. 15 nov. 2021 à 16:50, Fotis Memis <[email protected]> a écrit : > Hello, > > Has anyone tried to deploy 6.4 version of CAS in a clustered > environment? We are facing some problems in SAML services, regarding > session management, that do not happen in our 6.3.7 deployment. > > Specifically we are seeing the following error: > > Nov 15 16:28:01 example.com CAS[catalina-exec-21]: [ERROR] Forwarding to > error page from request [/idp/profile/SAML2/Callback] due to exception > [SAML request or context could not be determined from session store] - > org.springframework.boot.web.servlet.support.ErrorPageFilter > java.lang.IllegalArgumentException: SAML request or context could not be > determined from session store > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$retrieveAuthenticationRequest$3(AbstractSamlIdPProfileHandlerController.java:639) > > ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1] > at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?] > at > org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:639) > > ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:88) > > ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequestGet(SSOSamlIdPProfileCallbackHandlerController.java:60) > > ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) > > ~[spring-core-5.3.9.jar:5.3.9] > at > org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485) > > ~[spring-cloud-context-3.0.3.jar:3.0.3] > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) > > ~[spring-aop-5.3.9.jar:5.3.9] > at > org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750) > > ~[spring-aop-5.3.9.jar:5.3.9] > at > org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692) > > ~[spring-aop-5.3.9.jar:5.3.9] > at > org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$bc6144ef.handleCallbackProfileRequestGet(<generated>) > > ~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1] > at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) ~[?:?] > at > jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197) > > ~[spring-web-5.3.9.jar:5.3.9] > at > org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141) > > ~[spring-web-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at > org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) > ~[tomcat9-servlet-api.jar:?] > at > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) > > ~[spring-webmvc-5.3.9.jar:5.3.9] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > ~[tomcat9-servlet-api.jar:?] > at > jdk.internal.reflect.GeneratedMethodAccessor414.invoke(Unknown Source) > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at java.security.AccessController.doPrivileged(Native Method) > ~[?:?] > at javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > ~[?:?] > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at java.security.AccessController.doPrivileged(Native Method) > ~[?:?] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > ~[tomcat9-websocket-9.0.31.jar:9.0.31] > at > jdk.internal.reflect.GeneratedMethodAccessor244.invoke(Unknown Source) > ~[?:?] > at > jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ~[?:?] > at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?] > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at java.security.AccessController.doPrivileged(Native Method) > ~[?:?] > at javax.security.auth.Subject.doAsPrivileged(Subject.java:550) > ~[?:?] > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > ~[tomcat9-catalina-9.0.31.jar:9.0.31] > at java.security.AccessController.doPrivileged(Native Method) > ~[?:?] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > ~[tomcat9-catalina-9.0.31.jar > > PS: We deploy our cas.war files to 2 external tomcats, and use redis for > our ticket registry. Please note that, as mentioned above, our setup > works fine with version 6.3.7. > > Kind regards, > > Fotis > > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0a49b8-f335-b448-c7c0-37900e1bf3ef%40gunet.gr > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyPYn9tRUY0pz3qnsy4%3DVU8YaN%3D_AeJVb50a68KwuUR%3DA%40mail.gmail.com.
