Paul,
Add these to your CAS log to see details about CAS side of logout process:
<!-- DEBUG service status and logout process and a lot of details -->
<AsyncLogger name="org.apereo.cas.logout" level="debug" />
<!-- INFO Performing logout operations for [TGT-...]
[number] logout requests were processed
DEBUG ST, principal and URL -->
<AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager"
level="debug">
<Filters>
<ThresholdFilter level="INFO" onMatch="ACCEPT"
onMismatch="NEUTRAL" />
<RegexFilter regex="Captured logout request.*"
onMismatch="DENY" />
</Filters>
</AsyncLogger>
<!-- DEBUG Logout request will be sent to but does not print anything
when login was through SAML 1.1 -->
<AsyncLogger
name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder"
level="debug" />
<!-- DEBUG preparing, processing and logout with URL and ST -->
<AsyncLogger
name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler"
level="debug" />
<!-- DEBUG SAML logout payload -->
<AsyncLogger
name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" level="debug" />
<!-- DEBUG Response code from server matched [###] may be useful for
debugging proxy
Created HTTP post message payload [POST URL] on logout -->
<AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient"
level="debug" />
Ray
On Sun, 2018-04-01 at 15:21 -0700, paul li wrote:
Hi
My team is working with CAS (5.2.3) and delegated SAML authentication via pac4j
libraries. What we have so far:
1. 3 separate services, each is configured through spring to authenticate
with CAS.
2. CAS is configured to delegate authentication to SAML IDP via
cas.properties config
3. We extended the ClientAuthenticationHandler with small changes and
registered it through a @Configuration class.
With this basic setup, we are able to get the SSO to work correctly across the
services, against okta sample IDP, with a flow similar to this:
SP -> CAS -> Delegate Authentication -> Redirect to IDP -> Input credentials ->
IDP returns SAML response -> CasAuthenticationFilter finishes the
authentication and ST issuing -> System redirects the original ‘service’ url.
However, we are trying to get single logout (SLO) to work with the existing
framework, we got no luck.
It appears the system only logging out the local service, but not other
services.
What we have at the moment:
For each of the service module, we have the following configured:
1. LogoutFilter via spring bean
2. SingleSignOutFilter via web.xml or spring bean
3. SingleSignOutHttpSessionListener in web.xml
Also we have ServiceRegistry json with logoutType: BACK_CHANNEL
spring config
<http use-expressions="true" entry-point-ref="casAuthenticationEntryPoint">
<intercept-url pattern="/resources/**" access="permitAll" />
<intercept-url pattern="/manifest" access="permitAll" method="GET"
/>
<intercept-url pattern="/**" access="isAuthenticated()" />
<!-- enable csrf protection -->
<csrf disabled="true" />
<custom-filter ref="requestSingleLogoutFilter"
before="LOGOUT_FILTER" />
<custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />
<custom-filter ref="casAuthenticationFilter" after="CAS_FILTER" />
</http>
<bean id="singleLogoutFilter"
class="org.jasig.cas.client.session.SingleSignOutFilter"
p:ignoreInitConfiguration="true" ß-----not sure if we need this
p:casServerUrlPrefix="${cas.server.app}/" />
<bean id="requestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter"
p:filterProcessesUrl="/logout/cas/" >
<constructor-arg
value="${cas.server.app}/logout?service=${calendar.client.app}/" />
<constructor-arg>
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></bean>
</constructor-arg>
</bean>
In web.xml of each module, we have:
<listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
service registry:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https|imaps)://.*",
"name": "HTTPS and IMAPS",
"id": 10000001,
"description": "This service definition authorizes all application urls that
support HTTPS and IMAPS protocols.",
"evaluationOrder": 1,
"logoutType" : "BACK_CHANNEL",
….
Problem:
When we issue a logout via: https://localhost:8443/platformadmin/logout/cas/ ,
we see the LogoutFilter is triggered and in doFilter() session is invalidated.
SingleSignOutHttpSessionListener#sessionDestroy() is immediately triggered
after.
Then SingleLogoutFilter is triggered, in which SingleSignoutHandler#process(..)
method, BACK_CHANNEL logout is triggered.
In the console log however, I only see the ST of the current service
(platformadmin) is destroyed.
If we access any modules other than platformadmin, we are directed to the app
automatically.
It seems we are only logged out of the current service modules (local logout),
but didn’t logout from the other service modules.
What configuration are we missing? I see posts in this group where they have
SLO working,
We'd much appreciate if someone could provide a summary of their configuration.
Please let us know if you have any advices
Thanks!
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1522772926.1799.3.camel%40uvic.ca.
