Delegated SAML logout does not work (branch 5.3.x)

[Marco Ceriani]

Hi all

I have an issue with the Single Log Out feature.

The scenario is the following: the user logs in CAS using an assertion from an external IdP. Then the user calls the logout endpoint fo CAS, to request the destruction of all his applicative sessions. I have configured my services to receive the logout requests from CAS using the back channel, and this works correctly. However, CAS is not propagating the logout back to the SAML IdP.

Debugging the code I have found what causes the issue.

In the finishLogout step of the logout webflow, the class DelegatedAuthenticationSAML2ClientLogoutAction searches for the name of the client by looking at attribute "pac4jUserProfiles" in either the request or the session. However, as soon as the logout flow starts, the action terminateSession removes that attribute from both the request and the session.

These are the relevant pieces of code

In step terminateSession

package org.apereo.cas.web.flow.logout;
public class TerminateSessionAction extends AbstractAction {
    public Event terminate(final RequestContext context) {
        ...
        destroyApplicationSession(request, response);
        ...
    }

    protected void destroyApplicationSession(final HttpServletRequest request, final HttpServletResponse response) {
        ...
        final ProfileManager manager = Pac4jUtils.getPac4jProfileManager(request, response);
        // This kills all delegated authn profiles via pac4j.
        manager.logout();
        ...
    }
}

Later, in step finishLogout

package org.apereo.cas.web.flow;

public class DelegatedAuthenticationSAML2ClientLogoutAction extends AbstractAction {

    @Override
    protected Event doExecute(final RequestContext requestContext) {
        ...
        final String currentClientName = findCurrentClientName(context);
        ...
    }

    private String findCurrentClientName(final WebContext webContext) {
        final ProfileManager<? extends CommonProfile> pm = Pac4jUtils.getPac4jProfileManager(webContext);
        // This searches for the authn profiles in the request or the session
        final Optional<? extends CommonProfile> profile = pm.get(true);
        return profile.map(CommonProfile::getClientName).orElse(null);
    }
}

I could help in refining the analysis, but honestly the fix is beyond my knowledge of cas. Should I open a pull request?