Problems with Single Logout when using CAS as SAML Client

30 views
Skip to first unread message

lars....@materna.de

unread,
Nov 6, 2019, 6:41:45 AM11/6/19
to cas-...@apereo.org, cas...@apereo.org, Carste...@materna.de

Hello everyone,

 

we have a problem with using CAS 5.3.12.1 as SAML client for delegated authentication.
The login process seems to work fine, but an SAML-IDP initiated logout causes the following exception inside CAS:

2019-10-24 14:10:04,330 INFO [org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Performing a 200 HTTP action>

org.pac4j.core.exception.HttpAction: Performing a 200 HTTP action

    at org.pac4j.core.exception.HttpAction.ok(HttpAction.java:59) ~[pac4j-core-3.6.1.jar:?]

    at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:66) ~[pac4j-saml-3.6.1.jar:?]

    at org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:26) ~[pac4j-saml-3.6.1.jar:?]

    at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65) ~[pac4j-core-3.6.1.jar:?]

    at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140) ~[pac4j-core-3.6.1.jar:?]

    at org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:228) ~[cas-server-support-pac4j-webflow-5.3.12.1.jar:5.3.12.1]

    at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_171]

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_171]

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_171]

    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]

    at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:215) ~[spring-core-4.3.25.RELEASE.jar:4.3.25.RELEASE]

    at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470) ~[spring-cloud-context-1.3.0.RELEASE.jar:1.3.0.RELEASE]

    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.25.RELEASE.jar:4.3.25.RELEASE]

    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.25.RELEASE.jar:4.3.25.RELEASE]

    at com.sun.proxy.$Proxy136.execute(Unknown Source) ~[?:?]

    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.engine.State.enter(State.java:194) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.engine.Flow.start(Flow.java:527) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

    at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) ~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]

 

The request which causes this exception is a SAML Post-Binding request /cas/login?client_name=foo&logoutendpoint=true which contains the samlp:LogoutRequest in its SAMLRequest form parameter.

 

We’ve already figured out that the org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor actually generates a samlp:LogoutResponse which is written to the http response,
but it’s not sent back to the browser because of the aforementioned exception.

 

We’ve also tried to define our own DelegatedClientAuthenticationAction in order to override the handleException() Method.
When we catch, and silently ignore, the aforementioned exception there, the samlp:LogoutResponse is sent back to the browser, but no logout is performed inside cas,
especially no services are informed about the logout (as described in https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html)

 

Our setup is as follows:

1. A Client application which delegates its authentication to CAS using the cas3 protocol

2. The CAS instance which acts as proxy and delegates the authentication to an external IDP via SAML Post-Binding

3. An external SAML IDP.

Regarding the Single Logout, we’d expect the following flow:

1. The IDP sends an samlp:LogoutRequest to the CAS via SAML Post-Binding.

2. The CAS destroys the TGT and informs all CAS services via front-channel or back-channel communication about the logout.

3. The CAS sends a samlp:LogoutResponse back to the IDP via SAML Post-Binding.

Has anyone tried such a setup before or has an idea on how to get it working?

With kind regards

 

Lars Grefer

Fachinformatiker (Anwendungsentwicklung)
Business Line Public Sector

Phone: +49 231 5599-8294
lars....@materna.de

www.materna.de | Newsletter | Twitter | XING | Facebook

_________________________________________________________

Materna Information & Communications SE | Voßkuhle 37 | D-44141 Dortmund | Germany
Vorstand: Michael Knopp
Aufsichtsratsvorsitzender: Dr. Winfried Materna
Amtsgericht Dortmund HRB 30301

 

Reply all
Reply to author
Forward
0 new messages