Finally, I found why the authentication works and the service validation does not work. The setting
cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=false indicates to do not care about requiredHandlers defined in the service to allow authentication, but the service validation take it into account. I tried to change the setting to *true *and the authentication did not work as well. This helped me understand the purpose of the required authentication managers. I finally realized that all the required authentication managers all had to be successful in authenticating the user to authenticate the service. Since my 2 authentication managers contain 2 sets of different users, the authentication could never work. I removed the requieredHandlers line from the service definition and each service is now authenticated correctly. After I found the solution, I took time to read carefully the documentation, and the purpose of this setting is documented. But sometimes, it is not easy to understand the subtlety of a text where there is no example. Le mercredi 5 juin 2019 15:58:46 UTC-4, Christian Poirier a écrit : > > Hi > > I have 4 stage environments. DEV, TEST, PREPROD and PROD > > The authentification works on first 2 but not on the last 2. > > The error code I recieved is INVALID_SERVICE as show in the following xml > response > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationFailure code="INVALID_SERVICE"> > Ticket 'ST-2-NebQkEA0E-s5uqwpvia2zg1RbtUtlqauth-l-prod1' > does not match supplied service. > The original service was ' > http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx' and > the supplied service was ' > http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx'. > </cas:authenticationFailure> > </cas:serviceResponse> > > If you look at the original service and supplied service, they are same > string value. > http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx > == > http://127.0.0.1/login/login.aspx?ReturnUrl=/bottin/liste.aspx > > If I use the DEV and TEST, they are OK. > The configuration is the same for all servers except minor settings like > names and LDAP referenced. > > Does anyone knows what is happening? > > Thank's > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad458e4f-0708-4f53-8a82-b2f55ae79df7%40apereo.org.
