Ok Ray. Thanks for your help!! Anyone who has worked on Mod_auth_cas along with CAS server pls guide me. My issue is MOD_AUTH_CAS_S cookie is not removed from browser after logout.
Thanks Ramakrishna G On Tue, May 22, 2018 at 9:53 PM, Ray Bon <[email protected]> wrote: > Ramakrishna, > > This now sounds like an issue on the client side. I have not used > mod_auth_cas. Try debugging it and your client for how they handle the > logout request. > > Ray > > On Tue, 2018-05-22 at 15:41 +0530, Ramakrishna G wrote: > > Ray, > > I was able to solve the ssl issue using open_sll. Now I am using https at > both end with valid certificate. > > But my original problem of cas not logging out still persist. > > On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G <[email protected]> wrote: > > Ray, > > I configured ssl as advised by you. Now I have a different issue. > > When I use CASValidateURL with https url I get this Unauthorized error. If > i remove https it works but logout issue still persist Unauthorized > > This server could not verify that you are authorized to access the > document requested. Either you supplied the wrong credentials (e.g., bad > password), or your browser doesn't understand how to supply the credentials > required. > > > I am sharing my config > > CASCookiePath /var/cache/mod_auth_cas/ > > CASCertificatePath /etc/httpd/conf/casdev.crt > > CASLoginURL https://192.168.111.12:8443/cas/login > > CASRootProxiedAs https://192.168.111.12:8443 > > CASValidateURL https://192.168.111.12:8443/cas/serviceValidate > > #CASValidateURL http://192.168.111.12:8888/cas/serviceValidate // *Tomcat > http port 8888* > > CASValidateSAML Off > > CASSSOEnabled On > <VirtualHost _default_:8443> > SSLProxyEngine on > SSLProxyVerify none > SSLProxyCheckPeerCN off > SSLProxyCheckPeerName off > SSLProxyCheckPeerExpire off > Loglevel debug > <Location /> > AllowOverride > AuthType CAS > require valid-user > CASRenew On > ProxyPass http://192.168.111.10/ > ProxyPassReverse http://192.168.111.10/ > </Location> > <Location /cas> > Require all granted > ProxyPass https://192.168.111.12:9443/cas *// Tomcat > https port 9443* > ProxyPassReverse https://192.168.111.12:9443/cas > </Location> > > </ VirtualHost> > > > On Fri, May 18, 2018 at 8:50 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > During log out when CAS contacts your service (where mod_auth_cas is), it > does so with https. You need to install the custom certificate that is on > your service into the jvm running CAS. > > sudo keytool -import -file ${certName} -alias ${aliasName} -keystore > $JAVA_HOME/jre/lib/security/cacerts > > https://apereo.github.io/cas/developer/Build-Process-5X.html#configure-ssl > > Ray > > On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote: > > Ray, > > Let me explain you my architecture. I have a CAS client (mod_auth_cas) > which redirects to NGINX Load Balancer. The nginx forwards to one of the > active CAS Server. Do I need to install certificates on all CAS Server? > > User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for > internal communication from Nginx to CAS server. i.e Plain http > comminication is happenning from nginx to cas server. > > > Can you pls guide me how can I achieve logout for my approach. > > On Thu, May 17, 2018 at 9:49 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > Add this to the log config: > > <AsyncLogger name="org.apereo.cas.util.http" level="debug" /> > > The above may produce a lot of messages. > It looks to be a problem with CAS contacting your client. It could be a > certificate issue. > I guess you created a certificate since it is on a 192 ip. Did you add the > certificate to the java key store? If CAS and your client are on different > machines, then the certificate will need to be added to both. > > Ray > > On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote: > > Hi Ray, > > As said by you, I enabled logs and this is the output > > 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] > - <Performing logout operations for [TGT-2-*********************** > **********************************eGcHG1JqHs-client]> > 2018-05-17 11:50:46,501 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Processing logout request for > service [org.apereo.cas.authentication.principal.SimpleWebApplicatio > nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin > alUrl=https://192.168.111.12:8443/,*artifactId=<null>*,princip > al=casuser,loggedOutAlready=false,format=XML]]...> > 2018-05-17 11:50:46,503 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Service > [org.apereo.cas.authentication.principal.SimpleWebApplicatio > nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin > alUrl=https://192.168.111.12:8443/,artifactId=<null>,princip > al=casuser,loggedOutAlready=false,format=XML]] supports single logout and > is found in the registry as [id=10000001,name=HTTPS and > IMAPS,description=This service definition authorizes all application urls > that support HTTPS and IMAPS protocols.,serviceId=^(https|i > maps)://.*,usernameAttributeProvider=org.apereo.cas.services > .DefaultRegisteredServiceUsernameProvider@d,theme=<null>,eva > luationOrder=10000,logoutType=BACK_CHANNEL,attributeReleaseP > olicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@15646ed9 > [attributeFilter=<null>,principalAttributesRep > ository=org.apereo.cas.authentication.principal.DefaultPrinc > ipalAttributesRepository@7923006f[],authorizedToRelease > CredentialPassword=false,authorizedToReleaseAuthenticationAt > tributes=true,authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false,principalIdAttribute=<nu > ll>,consentPolicy=org.apereo.cas.services.consent.DefaultRe > gisteredServiceConsentPolicy@330ae512[excludedAttributes=< > null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]], > accessStrategy=org.apereo.cas.services.DefaultRegisteredServ > iceAccessStrategy@5bc47191[enabled=true,ssoEnabled=true, > requireAllAttributes=true,requiredAttributes={},unauthor > izedRedirectUrl=<null>,caseInsensitive=false,rejected > Attributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas. > services.RefuseRegisteredServiceProxyPolicy@2cd156ce,logo=< > null>,logoutUrl=<null>,requiredHandlers=[],properties={}, > multifactorPolicy=org.apereo.cas.services.DefaultRegistered > ServiceMultifactorPolicy@6dc092b8[multifactorAuthentica > tionProviders=[],failureMode=NOT_SET,principalAttributeName > Trigger=<null>,principalAttributeValueToMatch=<null>,bypassE > nabled=false],informationUrl=<null>,privacyUrl=<null>, > contacts=[],expirationPolicy=org.apereo.cas.services.Default > RegisteredServiceExpirationPolicy@687fb318[deleteWhenExpired > =false,notifyWhenDeleted=false,expirationDate=<null>],<null>]. > Proceeding...> > 2018-05-17 11:50:46,514 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Prepared logout url [ > https://192.168.111.12:8443/] for service [org.apereo.cas.authentication > .principal.SimpleWebApplicationServiceImpl@432f5faa[id=https > ://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8 > 443/,artifactId=<null>,principal=casuser,loggedOutAlready= > false,format=XML]]> > 2018-05-17 11:50:46,515 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Creating logout request for > [org.apereo.cas.authentication.principal.SimpleWebApplicatio > nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin > alUrl=https://192.168.111.12:8443/,artifactId=<null>,princip > al=casuser,loggedOutAlready=false,format=XML]] and ticket id > [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]> > 2018-05-17 11:50:46,517 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Logout request > [org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ticketI > d=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo > .cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https > ://192.168.111.12:8443/,artifactId=<null>,principal=casuser, > loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]] created for > [org.apereo.cas.authentication.principal.SimpleWebApplicatio > nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin > alUrl=https://192.168.111.12:8443/,artifactId=<null>,princip > al=casuser,loggedOutAlready=false,format=XML]] and ticket id > [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]> > 2018-05-17 11:50:46,518 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Logout type registered for > [org.apereo.cas.authentication.principal.SimpleWebApplicatio > nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin > alUrl=https://192.168.111.12:8443/,artifactId=<null>,princip > al=casuser,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]> > 2018-05-17 11:50:46,519 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Creating back-channel logout > request based on [org.apereo.cas.logout.DefaultLogoutRequest@61e23890 > [ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo > .cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https > ://192.168.111.12:8443/,artifactId=<null>,principal=casuser, > loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]> > 2018-05-17 11:50:46,522 DEBUG > [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] > - <Generated logout message: [<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0" > IssueInstant="2018-05-17T11:50:46Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED > @</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn > 0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>]> > 2018-05-17 11:50:46,522 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Preparing logout request for [ > https://192.168.111.12:8443/] to [https://192.168.111.12:8443/]> > 2018-05-17 11:50:46,547 DEBUG [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] - <Prepared logout message to send is > [org.apereo.cas.logout.LogoutHttpMessage@e0bb76[url=https:// > 192.168.111.12:8443/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0" > IssueInstant="2018-05-17T11:50:46Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED > @</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn > 0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>,as > ynchronous=false,contentType=application/x-www-form-urlencoded,responseCode=0]]. > Sending...> > 2018-05-17 11:50:46,659 WARN [org.apereo.cas.logout.Default > SingleLogoutServiceMessageHandler] -* <Logout message is not sent to > [https://192.168.111.12:8443/ <https://192.168.111.12:8443/>]; Continuing > processing...>* > 2018-05-17 11:50:46,661 INFO [org.apereo.cas.logout.DefaultLogoutManager] > - <[1] logout requests were processed> > 2018-05-17 11:50:46,668 INFO [org.apereo.inspektr.audit.sup > port.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN > ============================================================= > WHO: casuser > WHAT: TGT-2-****************************************************** > ***eGcHG1JqHs-client > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Thu May 17 11:50:46 IST 2018 > CLIENT IP ADDRESS: 192.168.111.12 > SERVER IP ADDRESS: 192.168.111.12 > ============================================================= > > > > On Tue, May 15, 2018 at 11:59 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > If the TGT is destroyed, then that SSO session is also destroyed even if > the TGC is not (why TGC is not removed is odd). > If you are still logged in to the client application, your client may not > be part of single log out (SLO). It is up to the client to manage its own > session. > When you say 'valid ticket', do you mean a new service ticket? > > You can try these log4j2 options to see what is happening during the > logout process: > > > <!-- DEBUG service status and logout process and a lot of details > --> > <AsyncLogger name="org.apereo.cas.logout" level="info" /> > <!-- INFO Performing logout operations for [TGT-...] > [number] logout requests were processed > DEBUG ST, principal and URL --> > <AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager" > level="info"> > <Filters> > <ThresholdFilter level="INFO" onMatch="ACCEPT" > onMismatch="NEUTRAL" /> > <RegexFilter regex="Captured logout request.*" > onMismatch="DENY" /> > </Filters> > </AsyncLogger> > <!-- DEBUG Logout request will be sent to but does not print > anything when login was through SAML 1.1 --> > <AsyncLogger name="org.apereo.cas.logout.De > faultSingleLogoutServiceLogoutUrlBuilder" level="warn" /> > <!-- DEBUG preparing, processing and logout with URL and ST --> > <AsyncLogger name="org.apereo.cas.logout.De > faultSingleLogoutServiceMessageHandler" level="debug" /> > <!-- DEBUG SAML logout payload --> > <AsyncLogger name="org.apereo.cas.logout.Sa > mlCompliantLogoutMessageCreator" level="debug" /> > > Ray > > On Tue, 2018-05-15 at 15:58 +0530, Ramakrishna G wrote: > > On Clicking logout which calls the cas/logout link : > > WHO: casuser > WHAT: TGT-1-****************************************************** > ***CPmWzMzi-I-client > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Tue May 15 15:45:17 IST 2018 > CLIENT IP ADDRESS: 192.168.111.12 > SERVER IP ADDRESS: 192.168.111.12 > ============================================================= > > > > But i can see that in the browser , the TGC cookie still resides , which > forces me to delete the cookies or close the browser for a fresh login. Is > there any way to avoid this? > > On Sat, May 12, 2018 at 1:45 PM, Ramakrishna G <[email protected]> wrote: > > Yes it is redirected to logout page, yet cookies is not removed. When I > refresh it redirects to application with valid ticket instead of > redirecting to login page. > > > On Fri, May 11, 2018 at 8:39 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > If the browser is redirected to /cas/logout, the cookies will/should be > removed. > > Ray > > On Fri, 2018-05-11 at 19:30 +0530, Ramakrishna G wrote: > > Hello Team, > > On logout CAS cookies are not removed from browser. I need to forcefully > clear. What might be the reason? > > Thanks > Ramakrishna G > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526656841.1817.94.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526656841.1817.94.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/1527006184.1830.3.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1527006184.1830.3.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_y-Sow_CVSsC%3D_gi0qSKzVE%3DcT5hJOucxeEbb6jpS5XQ%40mail.gmail.com.
