E_SERVICE_MISMATCH when login URL and validate URL don't match

Paul B. Henson henson at cpp.edu
Tue Feb 27 15:18:28 EST 2018

One of our apps developers inquired about an error they were receiving when they were trying to deep link directly into a portal in our uPortal deployment, for example:


Looking in the logs, the only thing I can see is that the service URL when the ticket is acquired is:

2018-02-27 12:02:29,935 - INFO [net.shibboleth.idp.cas.flow.impl.GrantServiceTicketAction:123] - Granted service ticket for https://my-tst.cpp.edu/uPortal/Login?refUrl=/uPortal/p/cpp-important-dates []

But the service URL when the ticket is validated is truncated: - - [27/Feb/2018:12:02:30 -0800] "GET /idp/profile/cas/serviceValidate?ticket=ST-1519761749934-wbmzKPwbbKQ
ZRrs4WJGhFaAXs&service=https%3A%2F%2Fmy-tst.cpp.edu%2FuPortal%2FLogin HTTP/1.1" 200 230 "-" "Java/1.8.0_152"

My assumption is that the error is the result of these two not matching. Per the protocol specification, it just says that for the validate call it should be "the identifier of the service for which the ticket was issued". I'm not sure what actual CAS server does, and whether this is a difference in behavior between it and the idp CAS support. The service definition in my configuration is a regex "https://my\.cpp\.edu/uPortal/Login.*", so both of those URLs should match the same service.

Any thoughts? Is this a bug in uPortal? Or the idp being more strict than CAS server?

Thanks much...

Paul B. Henson  |  (909) 979-6361  |  http://www.cpp.edu/~henson/
Operating Systems and Network Analyst  |  henson at cpp.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the users mailing list