Update on the SLO issue we are having.
The SLO is working correctly if we don't delegate to SAML authentication.
If user is signed in from an *external IDP via SAML authentication *(we are
using okta apps at the moment),
the the logout action (/logout, or logout/cas/) invalidate the sessions,
but *does not logout the user from the IDP. (SLO flag on the IDP is
enabled)*
User just need to click a button on the CAS default login page
(loginform.html) again, and automatically redirected into the app.
We traced our code, and and on logout, we saw in
* org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction.java*
following code is executed:
@Override
protected Event doExecute(final RequestContext requestContext) {
try {
final HttpServletRequest request = WebUtils.
getHttpServletRequestFromExternalWebflowContext(requestContext);
final HttpServletResponse response = WebUtils.
getHttpServletResponseFromExternalWebflowContext(requestContext);
final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request
, response);
Client<?, ?> client;
try {
final String currentClientName = findCurrentClientName(
context); //<-----------this is returning null, but we are overwriting this
value in debug mode at the moment. likely something missed in the sso
authentication flow.
client = (currentClientName == null) ? null : clients.
findClient(currentClientName); //<-----------client is retrieved correctly
} catch(final TechnicalException e) {
// this exception indicates that the SAML2Client is not in
the list
LOGGER.debug("No SAML2 client found");
client = null;
}
// Call logout on SAML2 clients only
if (client instanceof SAML2Client) {
final SAML2Client saml2Client = (SAML2Client) client;
LOGGER.debug("Located SAML2 client [{}]", saml2Client);
final RedirectAction action = saml2Client.getLogoutAction(
context, null, null); //<-----------we see the correct slo url is generated
here in the format https://<okta samlapp url>/slo/saml?SAMLRequest=....
LOGGER.debug("Preparing logout message to send is [{}]",
action.getLocation());
action.perform(context); //<-----------this is executed
without exception
} else {
LOGGER.debug("The current client is not a SAML2 client or
it cannot be found at all, no logout action will be executed.");
}
} catch (final Exception e) {
LOGGER.warn(e.getMessage(), e);
}
return null;
}
but after this code is finished, we accessed the okta IDP and user is still
*signed
in*...even though on the CAS side, user is directed to the CAS login page.
We did come across couple of other posts in our investigations, seems to be
suggesting that SLO for SAML is not fully implemented yet..
e.g.
https://groups.google.com/forum/#!searchin/pac4j-users/saml$20slo$20not$20working%7Csort:date/pac4j-users/60-ndNhwsyI/N7au6ticBQAJ
Could someone confirm if SLO with SAML is working with CAS 5.2.3 or is
there something we are missing...
Thank you very much in advance!
Paul Li
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/98d13813-cb56-4b35-842f-cddf736f42dd%40apereo.org.
