idp 3.3 CAS SSO to portal problem

Paul B. Henson henson at
Tue Aug 14 00:33:58 EDT 2018

On Tue, Aug 07, 2018 at 09:36:10AM -0700, Mathis, Bradley wrote:

> The error on my side is
> "Service issued for does not
> match"

I believe this error occurs when the CAS service ticket is issued for
one URL, but the service tries to validate it with a different one.

For example, if I look in my access log for the idp for a CAS
authentication, you see a login request for - - - [13/Aug/2018:21:30:19 -0700] "GET
HTTP/1.1" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106

Then a serviceValidate for the same URL: - - [13/Aug/2018:21:30:21 -0700] "GET
HTTP/1.1" 200 231 "-" "Java/1.8.0_162"

Your service appears to be sending the user to /idp/profile/cas/login
with one URL, but then calling /idp/profile/cas/serviceValidate to
verify the ticket passing a different URL...

You should be able to verify this in the access log, and then you just
need to figure out why it's doing it :).

Paul B. Henson  |  (909) 979-6361  |
Operating Systems and Network Analyst  |  henson at
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list