Sam, We switched from shibcas to SAML protocol. I know this does not solve your problem, but is an alternative.
Ray ________________________________ From: 'Samuel Harmon' via CAS Community <[email protected]> Sent: February 27, 2026 11:04 To: CAS Community <[email protected]> Cc: Samuel Harmon <[email protected]> Subject: [cas-user] Re: CAS Error - "Parameter [entityId] had multiple values" Some updates: We added "cas-server-support-shibboleth" to our WAR file (we hadn't included that in 6.6), with hopes that it might somehow help with this issue. It did not. On our dev system I also added the optional parameter to specify your IdP's URL in application.properties. That led to CAS logging one "Service Access Granted" (as expected), as well as 20 "Service Access Denied" entries, and slowing page rendering considerably. Sam On Friday, February 20, 2026 at 2:31:17 PM UTC-5 Samuel Harmon wrote: We recently upgraded our CAS servers from 6.6.x to 7.3.3, and we're seeing some unusual behavior that didn't happen before. Our setup is two CAS nodes with tickets distributed via Hazelcast and services stored in LDAP, and we do use Shibcas to allow us to use CAS as the frontend for our Shibboleth IdPs. Shibcas is configured with the default shibcas.entityIdLocation value (append), and it has been set up like this for as long as we've used it. Sometimes on our production servers since the upgrade (not all the time, maybe 1 out of every 10 attempts, and it comes from all potential entityIds), the user ends up getting a 500 error from CAS upon referral from the IdPs: 2026-02-20 10:42:06,727 ERROR [org.apereo.cas.web.support.filters.AbstractSecurityFilter] - <jakarta.servlet.ServletException: This request is blocked: Parameter [entityId] had multiple values [[google.com/a/case.edu?service=https://login.case.edu/idp/Authn/External?conversation=e1s2<http://google.com/a/case.edu?service=https://login.case.edu/idp/Authn/External?conversation=e1s2>, google.com/a/case.edu<http://google.com/a/case.edu>]] but at most one value is allowable. AbstractSecurityFilter.java:throwException:42 AbstractSecurityFilter.java:throwException:26 RequestParameterPolicyEnforcementFilter.java:doFilter:390 ApplicationFilterChain.java:doFilter:107 Has anyone else seen something like this before? Thanks, Sam -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1212c5e-9590-4f8d-b7f7-54a5ecff4247n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1212c5e-9590-4f8d-b7f7-54a5ecff4247n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081765FD55083C6AAE1DDFACE73A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
