Thank you for the quick answer!!
Adding cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY
fixed our problem!
Kind regards,
Fotis
On 15/11/21 5:57 μ.μ., Jérôme LELEU wrote:
Hi,
Did you configure the clustering for the SAML server support?
# |cas.authn.saml-idp.core.session-storage-type=HTTP|
Indicates whether saml requests, and other session data, collected as
part of SAML flows and requests that are kept by the container http
session, local storage, or should be replicated across the cluster.
Available values are as follows:
* |HTTP|: Saml requests, and other session data collected as part of
SAML flows and requests are kept in the http servlet session that
is local to the server.
* |BROWSER_SESSION_STORAGE|: Saml requests, and other session data
collected as part of SAML flows and requests are kept in the
client browser's session storage, signed and encrypted. SAML2
interactions require client-side read/write operations to restore
the session from the browser.
* |TICKET_REGISTRY|: Saml requests, and other session data collected
as part of SAML flows and requests are tracked as CAS tickets in
the registry and replicated across the entire cluster as tickets.
Thanks.
Best regards,
Jérôme
Le lun. 15 nov. 2021 à 16:50, Fotis Memis <[email protected]
<mailto:[email protected]>> a écrit :
Hello,
Has anyone tried to deploy 6.4 version of CAS in a clustered
environment? We are facing some problems in SAML services, regarding
session management, that do not happen in our 6.3.7 deployment.
Specifically we are seeing the following error:
Nov 15 16:28:01 example.com <http://example.com>
CAS[catalina-exec-21]: [ERROR] Forwarding to
error page from request [/idp/profile/SAML2/Callback] due to
exception
[SAML request or context could not be determined from session
store] -
org.springframework.boot.web.servlet.support.ErrorPageFilter
java.lang.IllegalArgumentException: SAML request or context could
not be
determined from session store
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.lambda$retrieveAuthenticationRequest$3(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at java.util.Optional.orElseThrow(Optional.java:408) ~[?:?]
at
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.retrieveAuthenticationRequest(AbstractSamlIdPProfileHandlerController.java:639)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleProfileRequest(SSOSamlIdPProfileCallbackHandlerController.java:88)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController.handleCallbackProfileRequestGet(SSOSamlIdPProfileCallbackHandlerController.java:60)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
~[spring-core-5.3.9.jar:5.3.9]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485)
~[spring-cloud-context-3.0.3.jar:3.0.3]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:750)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:692)
~[spring-aop-5.3.9.jar:5.3.9]
at
org.apereo.cas.support.saml.web.idp.profile.sso.SSOSamlIdPProfileCallbackHandlerController$$EnhancerBySpringCGLIB$$bc6144ef.handleCallbackProfileRequestGet(<generated>)
~[cas-server-support-saml-idp-web-6.4.1.jar:6.4.1]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method) ~[?:?]
at
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
~[spring-web-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1064)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
~[tomcat9-servlet-api.jar:?]
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
~[spring-webmvc-5.3.9.jar:5.3.9]
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
~[tomcat9-servlet-api.jar:?]
at
jdk.internal.reflect.GeneratedMethodAccessor414.invoke(Unknown
Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native
Method)
~[?:?]
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native
Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
~[tomcat9-websocket-9.0.31.jar:9.0.31]
at
jdk.internal.reflect.GeneratedMethodAccessor244.invoke(Unknown
Source)
~[?:?]
at
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native
Method)
~[?:?]
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:550)
~[?:?]
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
~[tomcat9-catalina-9.0.31.jar:9.0.31]
at java.security.AccessController.doPrivileged(Native
Method)
~[?:?]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
~[tomcat9-catalina-9.0.31.jar
PS: We deploy our cas.war files to 2 external tomcats, and use
redis for
our ticket registry. Please note that, as mentioned above, our setup
works fine with version 6.3.7.
Kind regards,
Fotis
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:cas-user%[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0a49b8-f335-b448-c7c0-37900e1bf3ef%40gunet.gr
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0a49b8-f335-b448-c7c0-37900e1bf3ef%40gunet.gr>.
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyPYn9tRUY0pz3qnsy4%3DVU8YaN%3D_AeJVb50a68KwuUR%3DA%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyPYn9tRUY0pz3qnsy4%3DVU8YaN%3D_AeJVb50a68KwuUR%3DA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/049a0a33-2923-428a-e293-b769ae6f09ba%40uoa.gr.
