CAS protocol violation

Andrew Morgan morgan at
Mon Mar 12 16:51:30 EDT 2018

It appears that Shibboleth v3.3.1 does not generate Service Tickets that 
are compliant with the CAS Protocol specification when the 
encodingTicketService is used.  Specifically, the Service Tickets contain 
an underscore character.  The CAS Protocol only allows {A-Z, a-z, 0-9}, 
and the hyphen character {-}:

I found this issue while troubleshooting a problem with a mod_auth_cas 
v1.1 client that was looping continuously, adding a new ticket with every 
loop.  v1.1 of mod_auth_cas has stricter character set validation that 
earlier versions.  This issue was also identified in, and is probably the 
root cause of the incompatibility, not the ticket length.

Jira IDP-1018 mentions an incompatibility with mod_auth_cas that came up 
during testing.  Maybe this is it?  Is it possible to fix this issue in 
Shibboleth?  If this hasn't come up already, I'm happy to file a new Jira 
for it.


More information about the users mailing list