Troubleshooting CAS authentication, "Invalid cas ticket"

I am having trouble using CAS with my Gitlab instance. Although the CAS provider is shibboleth, I didn’t want to get into Apache configuration. so I’d like to stick with getting CAS to work.

I am given a “Sign in with” option, and the link takes me to the CAS authentication screen, where I can sign in and get redirected back to the sign_in screen. However, I am not logged in, and a red error bar at the top reads:

Could not authenticate you from CAS3 because "Invalid cas ticket"

The CAS admin says that their logs look correct on their end. How can I troubleshoot this problem?

  1. How can I find out the root cause of “Invalid cas ticket”? I don’t see that phrase in any of my logs under /var/log/gitlab.
  2. Is there a way to get more verbose logs? Primarily what data is received in the communication directly between the server and the CAS provider?

Here is my gitlab.rb config:

 gitlab_rails['omniauth_providers'] = [
     "name" => "cas3",
     "label" => "XXX",
     "args" => {
         "url"=> '',
         "login_url"=> '/shibboleth-idp/profile/cas/login',
         "service_validate_url"=> '/shibboleth-idp/profile/cas/validate',
         "logout_url"=> '/shibboleth-idp/profile/cas/logout'