E_SERVICE_MISMATCH when login URL and validate URL don't match

Peter Schober peter.schober at univie.ac.at
Wed Feb 28 09:27:50 EST 2018

* Paul B. Henson <henson at cpp.edu> [2018-02-27 21:19]:
> 2018-02-27 12:02:29,935 - INFO
> [net.shibboleth.idp.cas.flow.impl.GrantServiceTicketAction:123] -
> Granted service ticket for
> https://my-tst.cpp.edu/uPortal/Login?refUrl=/uPortal/p/cpp-important-dates []
> But the service URL when the ticket is validated is truncated:
> - - [27/Feb/2018:12:02:30 -0800] "GET /idp/profile/cas/serviceValidate?ticket=ST-1519761749934-wbmzKPwbbKQ
> ZRrs4WJGhFaAXs&service=https%3A%2F%2Fmy-tst.cpp.edu%2FuPortal%2FLogin HTTP/1.1" 200 230 "-" "Java/1.8.0_152"
> My assumption is that the error is the result of these two not
> matching. Per the protocol specification, it just says that for the
> validate call it should be "the identifier of the service for which
> the ticket was issued". I'm not sure what actual CAS server does,
> and whether this is a difference in behavior between it and the idp
> CAS support. The service definition in my configuration is a regex
> "https://my\.cpp\.edu/uPortal/Login.*", so both of those URLs should
> match the same service.

I know nothing about CAS and this may only be an artifact of your
email but my-tst.cpp.edu is not matched by that regex for my.cpp.edu.


More information about the users mailing list