CAS 6.4.4.1 Microsoft SAML logout request failed

[Enrique Guerrero]

Hi there.

I'm using CAS (v.6.4.4.1) as Idp for users who want to use Office 365. I configure the integration following the next guide: https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/

The login and SSO session was great through SAML protocol. The fail exits at logout. We saw that Microsoft send the SAML Logout Request without signing. This cause an error on CAS which inform that the validation of request simple signature failed for context issuer: "urn:federation:MicrosoftOnline".

I attempted to allow saml logout request without signing following this properties (cas.authn.saml-idp.logout.force-signed-logout-requests=false): https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout , but this doesn't do nothing.

This SAML Logout fail doesn't happen in our integration with Cisco Webex. Cisco send us the SAML logout request with a valid signing, this cause a correct logout  on CAS.

=======================================================================

These are the Microsoft SAML Logout Request and CAS log:

<samlp:LogoutRequest
        ID="_432d86e3-f344-4f1e-b553-a6c49e38ce2c"
        Version="2.0"
        IssueInstant="2021-11-42T19:10:29.132Z"
        Destination="https://<OUR_CAS_INSTANCE>/cas/idp/profile/SAML2/Redirect/SLO"
        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

        <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer>

        <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">localUsername</NameID>
        <samlp:SessionIndex>ST-13-ZXChfuWEi-uGlIlVejtucpHznlw-sv0181</samlp:SessionIndex>

</samlp:LogoutRequest>

=======================================================================

2021-11-24 19:10:29,947 ERROR [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] - <NullPointerException> java.lang.NullPointerException: null at org.apereo.cas.support.saml.services.SamlIdPEntityIdAuthenticationServiceSelectionStrategy.supports(SamlIdPEntityIdAuthenticationServiceSelectionStrategy.java:48) ~[cas-server-support-saml-idp-metadata-6.4.2.jar:6.4.2] at org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.lambda$resolveService$0(DefaultAuthenticationServiceSelectionPlan.java:38) ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) ~[?:?] at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) ~[?:?] at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) ~[?:?] at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) ~[?:?] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) ~[?:?] at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?] at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?] at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) ~[?:?] at org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.resolveService(DefaultAuthenticationServiceSelectionPlan.java:39) ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:205) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution(RegisteredServiceResponseHeadersEnforcementFilter.java:63) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:184) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) ~[spring-security-web-5.5.2.jar:5.5.2] at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) ~[spring-security-web-5.5.2.jar:5.5.2] at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) ~[spring-boot-actuator-2.5.4.jar:2.5.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) ~[cas-server-core-logging-6.4.2.jar:6.4.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) ~[inspektr-common-1.8.16.GA.jar:1.8.16.GA] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.5.4.jar:2.5.4] at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.5.4.jar:2.5.4] at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.5.4.jar:2.5.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.5.4.jar:2.5.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.9.jar:5.3.9] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.9.jar:5.3.9] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) ~[log4j-web-2.14.1.jar:2.14.1] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[catalina.jar:9.0.30] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[catalina.jar:9.0.30] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) ~[catalina.jar:9.0.30] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[catalina.jar:9.0.30] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[catalina.jar:9.0.30] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) ~[catalina.jar:9.0.30] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[catalina.jar:9.0.30] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) ~[catalina.jar:9.0.30] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[catalina.jar:9.0.30] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) ~[catalina.jar:9.0.30] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) ~[tomcat-coyote.jar:9.0.30] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-coyote.jar:9.0.30] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) ~[tomcat-coyote.jar:9.0.30] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) ~[tomcat-coyote.jar:9.0.30] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.30] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.30] at java.lang.Thread.run(Thread.java:834) [?:?] 2021-11-24 19:10:30,031 WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] - <Message Handler: Simple signature validation (with no request-derived credentials) failed> 2021-11-24 19:10:30,032 WARN [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] - <Message Handler: Validation of request simple signature failed for context issuer: urn:federation:MicrosoftOnline>

Do you know the way to accept saml logout request without signing by CAS?

Thanks so much for your support!

[Enrique Guerrero]

ADD: I saw that the same error happend in CAS 6.3.X versions

[Ray Bon]

Enrique,

This is a security shortcoming in the office 365 config. You do not want to accept unsigned logout requests.

First try to fix office 365.

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Enrique Guerrero <enriqu...@gmail.com>
Sent: December 17, 2021 02:02
To: CAS Community
Subject: [cas-user] CAS 6.4.4.1 Microsoft SAML logout request failed

 

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1262758a-d89f-4ee1-9ff7-474035ce9933n%40apereo.org.

[Enrique Guerrero]

Thanks for your request Rey. I appreciate it.

I agree with you, but first I had a meeting with a Microsoft technical. He said us that is the Microsoft SAML behaviour. He will report the issue to other department, but it isn't plan to change it soon.

At this situation we think about accept saml logout request without signing in our CAS instance. Considering it calmly, accept logout request without signing isn't a security issue. It's only a logut request. Obviusly we know that in an ideal situation it's better to accept logout request with signing. We haven't better options at now.

We are thinking about to do a custom implementation ¿Do you know any better CAS options?

Thanks so much.

Enrique.