I think what is happening is that CAS uses the proxy host to create the logout url. You can put logs in debug mode and then see the actual url that is trying to call to logout. CAS also needs the cert for the host it will call in its truststore to be able to make the call for logout. My guess is that either the proxy is not set up to forward the logout end point to the apache server, or CAS cannot establish trust with the proxy.
On Thu, Aug 18, 2016 at 9:17 AM David Abney <[email protected]> wrote: > Travis, > > > > Below are the settings I used to try to get the mod_auth_cas logout to > work, but I was still unsuccessful. I guess it may have something to do > with the fact that I am using a proxy server. > > > > Since I am using Ubuntu, my mod_auth_cas settings are in > /etc/apache2/mods-enabled/auth_cas.conf and they look like this: > > CASCookiePath /var/cache/apache2/mod_auth_cas/ > > CASLoginURL [my cas server login url] > > CASValidateURL [my cas server validate url] > > CASDebug On > > CASVersion 2 > > #Only if using SAML > > #CASValidateSAML Off > > #CASAttributeDelimiter ; > > CASSSOEnabled On > > CASCertificatePath /etc/ssl/certs > > > > <Location /> > > AuthType CAS > > CASAuthNHeader [my HTTP Header value] > > require valid-user > > CASScope / > > </Location> > > > > For my proxy server I have the logout type set to BACK_CHANNEL and my > registered service looks like this: > > { > > "@class" : "org.jasig.cas.services.RegexRegisteredService", > > "serviceId" : "[my proxy server url]", > > "name" : "CAS-PROXY", > > "id" : 8, > > "description" : "Allows connections from CAS Proxy", > > "proxyPolicy" : { > > "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy" > > }, > > "evaluationOrder" : 8, > > "usernameAttributeProvider" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider" > > }, > > "logoutType" : "BACK_CHANNEL", > > "attributeReleasePolicy" : { > > "@class" : > "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy", > > "principalAttributesRepository" : { > > "@class" : > "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository" > > }, > > "authorizedToReleaseCredentialPassword" : false, > > "authorizedToReleaseProxyGrantingTicket" : false > > }, > > "accessStrategy" : { > > "@class" : > "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy", > > "enabled" : true, > > "ssoEnabled" : true > > } > > } > > > > Thanks, > > > > –––––––––––––––––––– > > *David Abney* > > ITS Web Developer/Programmer > > > > 600 West Walnut Street > > Danville, Kentucky 40422 > > 859.238.5761 > > > > [image: email_logo] > > www.centre.edu > > > > *From:* Travis Schmidt [mailto:[email protected]] > *Sent:* Thursday, August 18, 2016 11:18 AM > > > *To:* David Abney <[email protected]>; [email protected] > *Subject:* Re: [cas-user] Mod_auth_cas Logout Question > > > > Make sure "CASSSOEnabled On" is set in httpd.conf. If you are using a > Service Registry in CAS, make sure the Logout Channel is enabled and set to > BACK_CHANNEL. This is working for me, but I don't have a proxy in the > middle either. > > > > > > On Thu, Aug 18, 2016 at 7:20 AM David Abney <[email protected]> > wrote: > > I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut > system using CAS v4.2. We can set a logout URL in PaperCut, which is set > to the CAS server logout URL. So, when I logout of PaperCut, it appears I > am logged out of PaperCut and CAS, but if I go back to the proxy server > then mod_auth_cas still logs me back into PaperCut without redirecting me > to CAS to login again. > > > > Is there a way to logout of my session with mod_auth_cas or clear my > mod_auth_cas cookie? > > > > Thanks, > > > > –––––––––––––––––––– > > *David Abney* > > ITS Web Developer/Programmer > > > > 600 West Walnut Street > > Danville, Kentucky 40422 > > 859.238.5761 > > > > [image: email_logo] > > www.centre.edu > > > > -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEYnk%2BBoX96RK8R2KLn%2BZvLR%3DeJ19TNf%3Dx1DCr1C7oh2VQ%40mail.gmail.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
