Hi, If you use the SAML authentication delegation to Okta, there is a SAML2ClientLogoutAction component which should retrieve the user profile and send a logout request to Okta when you trigger a CAS logout ( https://github.com/apereo/cas/blob/5.1.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/web/flow/SAML2ClientLogoutAction.java ). This may not work for a cluster. Turn on DEBUG logs on this component to see what happens. Thanks. Best regards, Jérôme
Le ven. 20 déc. 2019 à 09:50, Filip Majernik <[email protected]> a écrit : > I am using CAS 5.1.1 which comes with pac4j 2.0.0 > > On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote: >> >> Hi, >> >> Which version of CAS (and pac4j) do you use? Do you have one or more CAS >> servers? >> Thanks. >> Best regards, >> Jérôme >> >> Le jeu. 19 déc. 2019 à 17:28, Filip Majernik <[email protected]> a >> écrit : >> >>> Hi Sarika, >>> I am facing the same issue. The SAML logout request to Okta does not >>> work. After debugging I have found out that in pac4j's implementation in >>> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the >>> context, hence no sessionIndex as nameId is added to the request. This >>> UserProfile should be created and kept in session after the user has >>> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J >>> documentation I assume, that there is no CallbackFilter in CAS initialized >>> which would store the UserProfile in the session, but I cannot confirm this. >>> >>> Does anybody know how to make this work? >>> >>> Thanks, >>> Filip >>> >>> >>> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote: >>>> >>>> Hi, >>>> >>>> Is there any update on this issue? >>>> >>>> Thanks in advance. >>>> >>>> >>>> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote: >>>>> >>>>> Hi Ganesh, >>>>> >>>>> Sorry for the late reply. >>>>> I have checked logs as well, it seems like CAS is not connecting with >>>>> OKTA at the time of logout. >>>>> >>>>> log details: >>>>> 2018-09-04 17:29:21,173 DEBUG >>>>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >>>>> - <Service [AbstractRegisteredService(serviceId=^https://.*, >>>>> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null, >>>>> responseType=null, id=10000001, description=This service definition >>>>> authorizes all application urls that support HTTPS and IMAPS protocols., >>>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >>>>> notifyWhenDeleted=false, expirationDate=null), >>>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >>>>> evaluationOrder=10000, >>>>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, >>>>> logoutType=BACK_CHANNEL, requiredHandlers=[], >>>>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >>>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >>>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, >>>>> excludedAttributes=null, includeOnlyAttributes=null), >>>>> authorizedToReleaseCredentialPassword=false, >>>>> authorizedToReleaseProxyGrantingTicket=false, >>>>> excludeDefaultAttributes=false, >>>>> authorizedToReleaseAuthenticationAttributes=true, >>>>> principalIdAttribute=null), allowedAttributes=[]), >>>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >>>>> failureMode=NOT_SET, principalAttributeNameTrigger=null, >>>>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, >>>>> logoutUrl=https://localhost:8443/cas/logout, >>>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >>>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >>>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), >>>>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, >>>>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is >>>>> not >>>>> a SAML service, or its logout url could not be determined> >>>>> 2018-09-04 17:29:21,173 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - >>>>> <Logout request will be sent to [https://localhost:8443/cas/logout] >>>>> for service [AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={})]> >>>>> 2018-09-04 17:29:21,174 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>>> <Prepared logout url [[https://localhost:8443/cas/logout]] for >>>>> service [AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={})]> >>>>> 2018-09-04 17:29:21,174 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>>> <Creating logout request for [AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>>>> 2018-09-04 17:29:21,401 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>>>> request >>>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>>>> service=AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>>>> logoutUrl=https://localhost:8443/cas/logout)] created for >>>>> [AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>>>> 2018-09-04 17:29:21,401 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>>>> type registered for [AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]> >>>>> 2018-09-04 17:29:21,402 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>>> <Creating back-channel logout request based on >>>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>>>> service=AbstractWebApplicationService(id= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>>> artifactId=null, [email protected], source=service, >>>>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>>>> logoutUrl=https://localhost:8443/cas/logout)]> >>>>> 2018-09-04 17:29:21,478 DEBUG >>>>> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >>>>> logout message: [<samlp:LogoutRequest >>>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>>> ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" >>>>> IssueInstant="2018-09-04T17:29:21Z"><saml:NameID >>>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ >>>>> </saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]> >>>>> 2018-09-04 17:29:21,478 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>>> <Preparing logout request for [ >>>>> https://localhost:8443/vcm/j_spring_cas_security_check] to [ >>>>> https://localhost:8443/cas/logout]> >>>>> 2018-09-04 17:29:21,485 DEBUG >>>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>>> <Prepared logout message to send is [HttpMessage(url= >>>>> https://localhost:8443/cas/logout, >>>>> message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, >>>>> responseCode=0, asynchronous=true, >>>>> contentType=application/x-www-form-urlencoded)]. Sending...> >>>>> 2018-09-04 17:29:21,532 DEBUG >>>>> [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message >>>>> payload [POST https://localhost:8443/cas/logout HTTP/1.1]> >>>>> 2018-09-04 17:29:21,558 INFO >>>>> [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were >>>>> processed> >>>>> >>>>> >>>>> I have gone through the CAS codebase, as per my understanding, CAS is >>>>> not getting some SAML metadata for a given SP for logout. >>>>> I have added "SamlRegisteredService" service registry for the same but >>>>> no luck. >>>>> >>>>> service registry: >>>>> >>>>> { >>>>> "@class" : >>>>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>>> "serviceId" : "urn:herb:saml:pac4j.org", >>>>> "name" : "SAMLService", >>>>> "id" : 10000003, >>>>> "evaluationOrder" : 10, >>>>> "metadataLocation" : " >>>>> https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"; >>>>> } >>>>> >>>>> Also, I have added logoutType and logoutUrl in >>>>> HTTPSandIMAPS-10000001.json registry file as below, >>>>> >>>>> "logoutType": "BACK_CHANNEL", >>>>> "logoutUrl":"https://localhost:8443/cas/logout";, >>>>> >>>>> >>>>> Is there anything missing? >>>>> >>>>> Thanks, >>>>> Sarika D. >>>>> >>>>> >>>>> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote: >>>>>> >>>>>> Hello everyone, >>>>>> >>>>>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using >>>>>> this tutorial >>>>>> https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ >>>>>> CAS properties file should contain such values: keystore path (that >>>>>> contains OKTA signing certificate), keystore password and private key >>>>>> password. >>>>>> OKTA provides signing certificate, so I can create a keystore using >>>>>> it. But OKTA does not provide private key for this certificate (or at >>>>>> least >>>>>> I cannot find it). I cannot left this value empty, because I will receive >>>>>> an exception during CAS startup. >>>>>> Can anyone help me, how can I configure OKTA integration without >>>>>> private key or where I can find it? >>>>>> >>>>>> Thanks >>>>>> >>>>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b3cb5d8-452a-4c28-bb74-d330584d1aba%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b3cb5d8-452a-4c28-bb74-d330584d1aba%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LyTCFs-3W1DfikRAR2KQOOUfndAz4VuGw_cZhjdjBtHHQ%40mail.gmail.com.
