Not very familiar with the shibboleth configuration, I used this article: https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html But the configuration is basic so the sessions are probably stored in cookies. But it is similar with https://samltest.id/start-idp-test/ and it does not work there either, and I would like to be sure that users are logged out of all websites to which they logged in. I tried with FRONT_CHANNEL logoutType but in Shibboleth logs only this appears:
2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (default / SLO / POST) 2022-06-30 05:02:16 DEBUG OpenSAML.MessageDecoder.SAML2POST [3] [default]: validating input 2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (find :: StorageService :: SessionCache) 6/30/2022 05:02:42 INFO XMLTooling.StorageService: purged 1 expired record (s) from storage CAS logs nothing about it The user that wanna logout gets information that: "Logout notification could not be sent" https://sp.uek.krakow.pl/shibboleth For security reasons, close the browser. If understand correctly: https://apereo.github.io/cas/6.5.x/installation/Logout-Single-Signout.html#sso-session-vs-application-session CAS knows nothing about the session. CAS just sends a logout command and Shibboleth waits for the user's session, if not there it states that there is nothing to do. I understand that if someone wants to use our idp, he will have to take the session issues on himself and give us the option of logging out the user without a session cookie ? wtorek, 28 czerwca 2022 o 17:47:29 UTC+2 Ray Bon napisał(a): > Arkady, > > The communication between the two servers looks correct. Cas is sending > the logout request (you can decode the SAMLRequest at > https://www.samltool.com/decode.php but most of the message is encrypted). > > How are shib sessions being stored? > > If with a cookie (which I think is the default), then back channel logout > will not work. You can try front channel logout (set in the cas service > definition) or change the shib session store to be on the server (db, etc). > > The logout from shib works when it is initiated from the service. The > service destroys the session, _then_ send the logout request to cas, cas > then processes all sessions it knows about (including the shib one, but it > is already destroyed). > > Ray > > On Tue, 2022-06-28 at 01:45 -0700, Arkady Keppert wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > I tried it but it still doesn't tell me anything. I got some additional > logs maybe someone clould help me ? Correct logout out of shibboleth is > posible when i go to https://sp.uek.krakow.pl/Shibboleth.sso/Logout, then > shibboleth send information about it to cas and cas destroy ticket then im > logout out of other services > > poniedziałek, 27 czerwca 2022 o 18:44:32 UTC+2 Ray Bon napisał(a): > > Arkady, > > These cas loggers may provide some additional information > > <!-- DEBUG outbound and inbound headers and response --> > <AsyncLogger name="org.apache.http.headers" level="warn" /> > <!-- DEBUG outbound and inbound headers and response as it is sent > --> > <AsyncLogger name="org.apache.http.wire" level="warn" /> > > Ray > > On Mon, 2022-06-27 at 00:52 -0700, Arkady Keppert wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > I set up the CAS 6.5.2 cluster based on: > > > https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html > > Everything works nicely outside of the SAML2 SOL services, if I log out of > the SAML2 service then the ticket is nicely destroyed and im logged out > from all applications, but if I log out of my other services I get the > information that: > CAS.log > 2022-06-27 09: 34: 21,784 WARN > [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceMessageHandler] > > - <No (successful) logout response received from the url [https: // sp . > uek.krakow.pl / Shibboleth.sso / SLO / POST]> > 2022-06-27 09: 34: 21,784 WARN > [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Logout > message is not sent to [AbstractWebApplicationService (id = https: // > sp.uek.krakow.pl/shibboleth , originalUrl = https: // > sp.uek.krakow.pl/shibboleth, artifactId = null, principal = kepperta, > source = service, loggedOutAlready = false, format = XML, attributes = > {entityId = [https: //sp.uek .krakow.pl / shibboleth]})]; Continuing > processing ...> > > SAML SP log: > 2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: > processing front channel logout request with no active session > 2022-06-27 03:34:21 INFO Shibboleth.SessionCache [11] [default]: request > to logout sessions from (https://sso-test.uek.krakow.pl/cas/idp) for > (kepperta) > 2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: client's > session isn't available, skipping front-channel notifications > 2022-06-27 03:34:21 ERROR Shibboleth.Logout [11] [default]: no sessions > supplied to back channel notification method > > When logging in to Shibboleth, a session is created that CAS knows nothing > about and when logging out of another service, this session is not > transferred to SAML SP, as I wrote earlier, if you logout directly in > Shibboleth then SOL works and I am logged out of other services. I tested > it on my SAML SP and via the website: https://samltest.id/ or both > solutions are based on Shibboleth > > Has anyone had similar problems and knows how to solve it? > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cfaabeff-038d-4cca-a273-a46d6b25903en%40apereo.org.
