Back Channel not called

[Ramakrishna G]

Hello all,

I am using mod_auth_cas as cas client and ha cas servers. In service I have defined

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "^(https)://.*",

  "name" : "wildcard",

  "id" : 1,

  "logoutType" : "BACK_CHANNEL",

  "logoutUrl" : "https://webserverip/logout.html"

}

The logoutUrl is never called but logs says: 

Preparing to send logout request to   https://webserverip/logout.html

Prepared to send logout request to   https://webserverip/logout.html

[1] logout requests were processed

But never logout.html is called. I don't know what is the mistake I am doing.

Can anyone help please.

Thanks 

[Ray Bon]

Ramakrishna,

This looks like a problem with certificates or network. If the certificate for webserverip is self signed, you have to add it to java keystore for CAS servers (use keytool). I know less about network issues.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Ramakrishna G]

I am using wild card certificate. Certificate is installed in both the machine. I don't have domains created for CAS servers. I am accessing via IP. Would that be the reason? Is it necessary to communicate with CAS servers with domain name?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533918628.2842.67.camel%40uvic.ca.

[Ray Bon]

Try with the name instead of ip.

Ray

[Ramakrishna G]

Ray,

I tried even with domain name. No luck!!

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533918628.2842.67.camel%40uvic.ca.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533922111.2842.73.camel%40uvic.ca.

[Ray Bon]

Ramakrishna,

If you have not done so already, turn up debugging on CAS and client to see if there is any hint. You may have to dig into network communications.

Can you curl a post to:

curl -X POST https://domain/logout.html

Ray

[Ramakrishna G]

Ray,

I have tried all possible ways but my logoutUrl is not called. 

This is my log

<Logout type registered for [AbstractWebApplicationService(id=https://abc.domain.com/, originalUrl=https://abc.domain.com/, artifactId=null, principal=cas, source=service, loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]>

2018-08-15 21:32:12,403 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [DefaultLogoutRequest(ticketId=ST-3-9xOj3CM8bFolCEXzTk6pJaeSE1oSSLDCTRSSO02, service=AbstractWebApplicationService(id=https://abc.domain.com/, originalUrl=https://abc.domain.com/, artifactId=null, principal=cas, source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=https://xyz.domain.com/logout.html)]>

2018-08-15 21:32:12,404 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-3--WXquGTKlwEFb7fwvKR-GkI1" Version="2.0" IssueInstant="2018-08-15T21:32:12Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-3-9xOj3CM8bFolCEXzTk6pJaeSE1oSSLDCTRSSO02</samlp:SessionIndex></samlp:LogoutRequest>]>

2018-08-15 21:32:12,405 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://abc.domain.com/] to [https://xyz.domain.com/logout.html]>

2018-08-15 21:32:12,406 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=https://xyz.domain.com/logout.html, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-3--WXquGTKlwEFb7fwvKR-GkI1%22+Version%3D%222.0%22+IssueInstant%3D%222018-08-15T21%3A32%3A12Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-3-9xOj3CM8bFolCEXzTk6pJaeSE1oSSLDCTRSSO02%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, responseCode=0, asynchronous=true, contentType=application/x-www-form-urlencoded)]. Sending...>

2018-08-15 21:32:12,452 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://xyz.domain.com/logout.html HTTP/1.1]>

2018-08-15 21:32:12,466 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were processed>

2018-08-15 21:32:12,468 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Attempting to decode [EncodedTicket(id=87a5d1181fbfe4f24bcfabf5119ad705c3ccbdb6a606ff691637b2d778174c8495a08f55b5f01ceca966934b3dea9dee0ae368114f68c3679c168fe56034b049)]>

2018-08-15 21:32:12,469 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Decoded ticket to [TGT-3-aFjeNpK6frLv2VrXoSrbbsuvU110DAhlXFSbKfDq87EW1yk8F7s6-8nhHLwwbBoOPbUSSLDCTRSSO02]>

2018-08-15 21:32:12,470 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing children of ticket [TGT-3-aFjeNpK6frLv2VrXoSrbbsuvU110DAhlXFSbKfDq87EW1yk8F7s6-8nhHLwwbBoOPbUSSLDCTRSSO02] from the registry.>

2018-08-15 21:32:12,471 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removed ticket [ST-3-9xOj3CM8bFolCEXzTk6pJaeSE1oSSLDCTRSSO02]>

2018-08-15 21:32:12,472 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing ticket [TGT-3-aFjeNpK6frLv2VrXoSrbbsuvU110DAhlXFSbKfDq87EW1yk8F7s6-8nhHLwwbBoOPbUSSLDCTRSSO02] from the registry.>

2018-08-15 21:32:12,473 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [CasTicketGrantingTicketDestroyedEvent(ticketGrantingTicket=TGT-3-aFjeNpK6frLv2VrXoSrbbsuvU110DAhlXFSbKfDq87EW1yk8F7s6-8nhHLwwbBoOPbUSSLDCTRSSO02)]>

2018-08-15 21:32:12,474 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: cas

WHAT: TGT-3-aFjeNpK6frLv2VrXoSrbbsuvU110DAhlXFSbKfDq87EW1yk8F7s6-8nhHLwwbBoOPbUSSLDCTRSSO02

ACTION: TICKET_GRANTING_TICKET_DESTROYED

APPLICATION: CAS

WHEN: Wed Aug 15 21:32:12 IST 2018

CLIENT IP ADDRESS: 172.26.101.71

SERVER IP ADDRESS: 172.15.17.171

=============================================================

I am able to do curl request to " https://xyz.domain.com/logout.html " from my cas server. 

I don't see any log in my Apache though. I have also tried FRONT_CHANNEL but no luck.

Can you please check and help me in resolving this.

Thanks

Ram

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533918628.2842.67.camel%40uvic.ca.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533922111.2842.73.camel%40uvic.ca.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1534177908.2503.11.camel%40uvic.ca.

[Ray Bon]

Ram,

Are you sure the request is not reaching? I checked my tomcat and it will show the logout POST in the access log but apache does not.

The service id is abc.domain.com (where login happened), but the target logout is xyz.domain.com. Is this a typo? The only thing identifying the session to terminate is the ST. If it was sent to abc on login, then xyz will not know about it (unless you have some funky cross domain session sharing).

Can you add some logging to logout.html?

You can also add some data to the curl POST:

message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-3-yqsjo-tsMJUTvMmf-o4-D-EI" Version="2.0" IssueInstant="2018-08-15T09:31:59Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-wtDww85p-eauhK1Obnv28JuCVrM-tomt</samlp:SessionIndex></samlp:LogoutRequest>

just change the ST value.

Ray

[Ramakrishna G]

Ray, 

Which version of CAS are you using? I remember back channel was working fine when I was using CAS version 5.2.2

Now when I updated to 5.3 it is not working.

Should logouturl be part of protected CAS resource?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1534177908.2503.11.camel%40uvic.ca.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1534352063.2503.54.camel%40uvic.ca.

[Ray Bon]

Ram,

I am currently on 5.2.2.

logouturl should be publicly available. If using back channel, it is CAS that is calling and not user's browser so there is no session. With front channel, you could get away with it protected but if the session ended just as the redirect happened then you get the log in page when trying to log out, that would be weird.

Ray

[Ramakrishna G]

Ray,

I downgraded the cas version and it is working fine. Thanks for your help!!

If I have opened same service in multiple tab of same browser, can I send backchannel request to all the opened tabs? Apart from checking from javascript for every 5 secound in client side, do we have some mechanism in cas which notifies all the services which are active.

Thanks

Ram

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1534358602.2503.60.camel%40uvic.ca.

[Ray Bon]

Ram,

The back channel logout goes to the service, not the browser, so the service needs to end the user session. The user will only know the other tabs are logged out when they do a page refresh/request.

Ray

[Ramakrishna G]

Thanks Ray for clarifying things.

Regards

Ramakrishna G

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1534433949.2503.66.camel%40uvic.ca.