SAML delegated authN in CAS 6.6.x, SLO has no signature element to external IDP?
47 views
Skip to first unread message
Yan Zhou
Sep 8, 2023, 5:03:09 PM9/8/23
to CAS Community
Hi,
I have almost completed SAML delegated authN with CAS and Okta, CAS delegates to Okta, except for SLO.
When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta says "invalid signature", the SAML Logout request from CAS has no signature element. See below.
I verified Okta setting, Nowhere says it requires signature in Logout Request, regardless, I cannot figure out how to get CAS to sign SLO request when in delgated authN. this setting made no difference even when set.
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
This is the SLO from CAS to Okta, no signature element, I suppose that is why Okta says "Invalid Signature", but I do not know how to get Okta turn off checking, In Okta, "Validate SAML requests with signature certificates" is OFF.
Ideas? thanks in advance
Yan
<saml2p:LogoutRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://dev-.......okta.com/app/dev-11........p_1/ex......7/slo/saml"
ID="_2701..........ca870e07705"
IssueInstant="2023-09-08T20:09:28.830Z"
Version="2.0"
>
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8443/cas/samlsp</saml2:Issuer>
<saml2:NameID xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>yan.......com</saml2:NameID>
<saml2p:SessionIndex>_4ba2......3a4b0</saml2p:SessionIndex>
</saml2p:LogoutRequest>
Ray Bon
Sep 9, 2023, 12:48:41 AM9/9/23
to cas-...@apereo.org
Yan,
It is a wise idea to sign logout requests. This prevents a bad actor from creating false logouts.
'Validate SAML requests with signature ... ' is for the log in request.
When your client app sends a logout request to cas, does cas (as IdP) end its session with the client?
Ray
On Fri, 2023-09-08 at 13:18 -0700, Yan Zhou wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Hi,
I have almost completed SAML delegated authN with CAS and Okta, CAS delegates to Okta, except for SLO.
When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but Okta says "invalid signature", the SAML Logout request from CAS has no signature element. See below.
I verified Okta setting, Nowhere says it requires signature in Logout Request, regardless, I cannot figure out how to get CAS to sign SLO request when in delgated authN. this setting made no difference even when set.
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
This is the SLO from CAS to Okta, no signature element, I suppose that is why Okta says "Invalid Signature", but I do not know how to get Okta turn off checking, In Okta, "Validate SAML requests with signature certificates" is OFF.
Ideas? thanks in advance
Yan
<saml2p:LogoutRequestxmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"Destination="https://dev-.......okta.com/app/dev-11........p_1/ex......7/slo/saml"ID="_2701..........ca870e07705"IssueInstant="2023-09-08T20:09:28.830Z"Version="2.0" ><saml2:Issuerxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://localhost:8443/cas/samlsp</saml2:Issuer><saml2:NameIDxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" >yan.......com</saml2:NameID><saml2p:SessionIndex>_4ba2......3a4b0</saml2p:SessionIndex></saml2p:LogoutRequest>
Yan Zhou
Sep 11, 2023, 1:44:33 PM9/11/23
to CAS Community, Ray Bon
HI,
Looks like CAS already performed logout (TGC cookie is already removed) before it redirect to Okta doing Logout, but it does not have a signature element in Logout request sent to Okta.
Would that be a problem, even if Okta would recognize and log user out, it will redirect back to CAS, now that SSO session is already destroyed, CAS would not know how to handle Okta response. I did see this message in Log, but it is not marked as error: Can not evaluate delegated authentication policy without a service
Yan
2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] - <Located client from webflow state: [#SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]>
2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] - <Captured post logout url: [http://localhost:8081/saml/logout?SAMLResponse=pZI%2Fb8IwEMX3forI.......................................bELxwQ%3D%3D]>
2023-09-11 13:12:18,950 INFO [scheduling-1] [org.apereo.cas.services.AbstractServicesManager] - <Loaded [4] service(s) from [JsonServiceRegistry].>
2023-09-11 13:12:19,887 INFO [https-jsse-nio-8443-exec-3] [Spring Security Debugger] - <
************************************************************
Request received for POST '/login?client_name=bootsp2&logoutendpoint=true':
......................................
************************************************************
>
2023-09-11 13:12:19,888 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@1f480c09]>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.pac4j.core.client.Clients] - <Found client: #SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Delegated authentication client is [#SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |] with service [null]>
2023-09-11 13:13:48,741 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.pac4j.client.authz.BaseDelegatedClientIdentityProviderAuthorizer] - <Can not evaluate delegated authentication policy without a service>
2023-09-11 13:12:17,154 DEBUG [https-jsse-nio-8443-exec-7] [org.apereo.cas.web.flow.actions.DelegatedAuthenticationClientFinishLogoutAction] - <Captured post logout url: [http://localhost:8081/saml/logout?SAMLResponse=pZI%2Fb8IwEMX3forI.......................................bELxwQ%3D%3D]>
2023-09-11 13:12:18,950 INFO [scheduling-1] [org.apereo.cas.services.AbstractServicesManager] - <Loaded [4] service(s) from [JsonServiceRegistry].>
2023-09-11 13:12:19,887 INFO [https-jsse-nio-8443-exec-3] [Spring Security Debugger] - <
************************************************************
Request received for POST '/login?client_name=bootsp2&logoutendpoint=true':
......................................
************************************************************
>
2023-09-11 13:12:19,888 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.CasFlowHandlerMapping] - <Mapped to [FlowHandlerMapping.DefaultFlowHandler@1f480c09]>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.support.pac4j.authentication.clients.RefreshableDelegatedClients] - <The following clients are built: [[#SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |]]>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.pac4j.core.client.Clients] - <Found client: #SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true | for name: bootsp2>
2023-09-11 13:12:19,890 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Delegated authentication client is [#SAML2Client# | name: bootsp2 | callbackUrl: https://localhost:8443/cas/login | urlResolver: org.pac4j.core.http.url.DefaultUrlResolver@47cf3a3b | callbackUrlResolver: org.pac4j.core.http.callback.QueryParameterCallbackUrlResolver@c83ed77 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@69099dc8 | redirectionActionBuilder: org.pac4j.saml.redirect.SAML2RedirectionActionBuilder@23a7d2b8 | credentialsExtractor: org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor@40492ade | authenticator: org.pac4j.saml.credentials.authenticator.SAML2Authenticator@7ee9de0e | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@d271a54 | logoutActionBuilder: org.pac4j.saml.logout.SAML2LogoutActionBuilder@5b2bfbc6 | authorizationGenerators: [] | checkAuthenticationAttempt: true |] with service [null]>
2023-09-11 13:13:48,741 DEBUG [https-jsse-nio-8443-exec-3] [org.apereo.cas.pac4j.client.authz.BaseDelegatedClientIdentityProviderAuthorizer] - <Can not evaluate delegated authentication policy without a service>
Yan
Yan Zhou
Sep 13, 2023, 10:40:40 PM9/13/23
to CAS Community, Yan Zhou, Ray Bon
Figured out!
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
I was looking for signature element in XML SAML Response. actually, with delegated authN to Okta, the signature is not in XML, it is a parameter in GET request, along with SAMLRequest parameter.
What got me there is that I thought about CAS delegated authN to Okta has been working, how did that carry signature, and I also saw the property.
Thx!
Reply all
Reply to author
Forward
0 new messages