Ramakrishna,
During log out when CAS contacts your service (where mod_auth_cas is), it does
so with https. You need to install the custom certificate that is on your
service into the jvm running CAS.
sudo keytool -import -file ${certName} -alias ${aliasName} -keystore
$JAVA_HOME/jre/lib/security/cacerts
https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl
Ray
On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote:
Ray,
Let me explain you my architecture. I have a CAS client (mod_auth_cas) which
redirects to NGINX Load Balancer. The nginx forwards to one of the active CAS
Server. Do I need to install certificates on all CAS Server?
User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for
internal communication from Nginx to CAS server. i.e Plain http comminication
is happenning from nginx to cas server.
[cid:[email protected]]
Can you pls guide me how can I achieve logout for my approach.
On Thu, May 17, 2018 at 9:49 PM, Ray Bon <[email protected]<mailto:[email protected]>>
wrote:
Ramakrishna,
Add this to the log config:
<AsyncLogger name="org.apereo.cas.util.http" level="debug" />
The above may produce a lot of messages.
It looks to be a problem with CAS contacting your client. It could be a
certificate issue.
I guess you created a certificate since it is on a 192 ip. Did you add the
certificate to the java key store? If CAS and your client are on different
machines, then the certificate will need to be added to both.
Ray
On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote:
Hi Ray,
As said by you, I enabled logs and this is the output
2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] -
<Performing logout operations for
[TGT-2-*********************************************************eGcHG1JqHs-client]>
2018-05-17 11:50:46,501 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Processing
logout request for service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]...>
2018-05-17 11:50:46,503 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]
supports single logout and is found in the registry as [id=10000001,name=HTTPS
and IMAPS,description=This service definition authorizes all application urls
that support HTTPS and IMAPS
protocols.,serviceId=^(https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=<null>,evaluationOrder=10000,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@15646ed9[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@7923006f[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@330ae512[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@5bc47191[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@2cd156ce,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@6dc092b8[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@687fb318[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>].
Proceeding...>
2018-05-17 11:50:46,514 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared
logout url [https://192.168.111.12:8443/] for service
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]>
2018-05-17 11:50:46,515 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating
logout request for
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]
and ticket id [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]>
2018-05-17 11:50:46,517 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout
request
[org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]
created for
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]
and ticket id [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]>
2018-05-17 11:50:46,518 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type
registered for
[org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]
is [BACK_CHANNEL]>
2018-05-17 11:50:46,519 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating
back-channel logout request based on
[org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/,artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
2018-05-17 11:50:46,522 DEBUG
[org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout
message: [<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0"
IssueInstant="2018-05-17T11:50:46Z"><saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>]>
2018-05-17 11:50:46,522 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing
logout request for [https://192.168.111.12:8443/] to
[https://192.168.111.12:8443/]>
2018-05-17 11:50:46,547 DEBUG
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared
logout message to send is
[org.apereo.cas.logout.LogoutHttpMessage@e0bb76[url=https://192.168.111.12:8443/,message=<samlp:LogoutRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0"
IssueInstant="2018-05-17T11:50:46Z"><saml:NameID
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=false,contentType=application/x-www-form-urlencoded,responseCode=0]].
Sending...>
2018-05-17 11:50:46,659 WARN
[org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout
message is not sent to [https://192.168.111.12:8443/]; Continuing processing...>
2018-05-17 11:50:46,661 INFO [org.apereo.cas.logout.DefaultLogoutManager] -
<[1] logout requests were processed>
2018-05-17 11:50:46,668 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: casuser
WHAT:
TGT-2-*********************************************************eGcHG1JqHs-client
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Thu May 17 11:50:46 IST 2018
CLIENT IP ADDRESS: 192.168.111.12
SERVER IP ADDRESS: 192.168.111.12
=============================================================
On Tue, May 15, 2018 at 11:59 PM, Ray Bon <[email protected]<mailto:[email protected]>>
wrote:
Ramakrishna,
If the TGT is destroyed, then that SSO session is also destroyed even if the
TGC is not (why TGC is not removed is odd).
If you are still logged in to the client application, your client may not be
part of single log out (SLO). It is up to the client to manage its own session.
When you say 'valid ticket', do you mean a new service ticket?
You can try these log4j2 options to see what is happening during the logout
process:
<!-- DEBUG service status and logout process and a lot of details -->
<AsyncLogger name="org.apereo.cas.logout" level="info" />
<!-- INFO Performing logout operations for [TGT-...]
[number] logout requests were processed
DEBUG ST, principal and URL -->
<AsyncLogger
name="org.apereo.cas.logout.De<http://org.apereo.cas.logout.De>faultLogoutManager"
level="info">
<Filters>
<ThresholdFilter level="INFO" onMatch="ACCEPT"
onMismatch="NEUTRAL" />
<RegexFilter regex="Captured logout request.*"
onMismatch="DENY" />
</Filters>
</AsyncLogger>
<!-- DEBUG Logout request will be sent to but does not print anything
when login was through SAML 1.1 -->
<AsyncLogger
name="org.apereo.cas.logout.De<http://org.apereo.cas.logout.De>faultSingleLogoutServiceLogoutUrlBuilder"
level="warn" />
<!-- DEBUG preparing, processing and logout with URL and ST -->
<AsyncLogger
name="org.apereo.cas.logout.De<http://org.apereo.cas.logout.De>faultSingleLogoutServiceMessageHandler"
level="debug" />
<!-- DEBUG SAML logout payload -->
<AsyncLogger
name="org.apereo.cas.logout.Sa<http://org.apereo.cas.logout.Sa>mlCompliantLogoutMessageCreator"
level="debug" />
Ray
On Tue, 2018-05-15 at 15:58 +0530, Ramakrishna G wrote:
On Clicking logout which calls the cas/logout link :
WHO: casuser
WHAT:
TGT-1-*********************************************************CPmWzMzi-I-client
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Tue May 15 15:45:17 IST 2018
CLIENT IP ADDRESS: 192.168.111.12
SERVER IP ADDRESS: 192.168.111.12
=============================================================
But i can see that in the browser , the TGC cookie still resides , which forces
me to delete the cookies or close the browser for a fresh login. Is there any
way to avoid this?
On Sat, May 12, 2018 at 1:45 PM, Ramakrishna G
<[email protected]<mailto:[email protected]>> wrote:
Yes it is redirected to logout page, yet cookies is not removed. When I refresh
it redirects to application with valid ticket instead of redirecting to login
page.
On Fri, May 11, 2018 at 8:39 PM, Ray Bon <[email protected]<mailto:[email protected]>>
wrote:
Ramakrishna,
If the browser is redirected to /cas/logout, the cookies will/should be removed.
Ray
On Fri, 2018-05-11 at 19:30 +0530, Ramakrishna G wrote:
Hello Team,
On logout CAS cookies are not removed from browser. I need to forcefully clear.
What might be the reason?
Thanks
Ramakrishna G
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526656841.1817.94.camel%40uvic.ca.
