Mod_auth_cas Logout Question
David Abney
I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut system using CAS v4.2. We can set a logout URL in PaperCut, which is set to the CAS server logout URL. So, when I logout of PaperCut, it appears I am logged out of PaperCut and CAS, but if I go back to the proxy server then mod_auth_cas still logs me back into PaperCut without redirecting me to CAS to login again.
Is there a way to logout of my session with mod_auth_cas or clear my mod_auth_cas cookie?
Thanks,
––––––––––––––––––––
David Abney
ITS Web Developer/Programmer
600 West Walnut Street
Danville, Kentucky 40422
Travis Schmidt
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Neil Sabol
Hi David,
We’ve had mixed results with mod_auth_cas logout.
One way we have overcome this is using a separate, intermediary (non-CAS) logout page to:
· Remove the MOD_AUTH_CAS and MOD_AUTH_CAS_S cookies from the user’s session
· Redirect the user to the CAS logout page.
We use PHP, could be anything though:
<?php
unset($_SESSION['MOD_AUTH_CAS_S']);
setcookie('MOD_AUTH_CAS_S', '', time()-300, '/');
unset($_SESSION['MOD_AUTH_CAS']);
setcookie('MOD_AUTH_CAS', '', time()-300, '/');
header('Location: https://your.cas.server/cas/logout');
?>
Not sure if that will work for your use case, but perhaps a starting point.
Thanks,
-Neil
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaFoZ-0LAXZ9MW5CdsmRZ5mwK3TNC9S7pUu0Hd11GcaCw%40mail.gmail.com.
David Abney
Travis,
Below are the settings I used to try to get the mod_auth_cas logout to work, but I was still unsuccessful. I guess it may have something to do with the fact that I am using a proxy server.
Since I am using Ubuntu, my mod_auth_cas settings are in /etc/apache2/mods-enabled/auth_cas.conf and they look like this:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL [my cas server login url]
CASValidateURL [my cas server validate url]
CASDebug On
CASVersion 2
#Only if using SAML
#CASValidateSAML Off
#CASAttributeDelimiter ;
CASSSOEnabled On
CASCertificatePath /etc/ssl/certs
<Location />
AuthType CAS
CASAuthNHeader [my HTTP Header value]
require valid-user
CASScope /
</Location>
For my proxy server I have the logout type set to BACK_CHANNEL and my registered service looks like this:
{
"@class" : "org.jasig.cas.services.RegexRegisteredService",
"serviceId" : "[my proxy server url]",
"name" : "CAS-PROXY",
"id" : 8,
"description" : "Allows connections from CAS Proxy",
"proxyPolicy" : {
"@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"evaluationOrder" : 8,
"usernameAttributeProvider" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType" : "BACK_CHANNEL",
"attributeReleasePolicy" : {
"@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
"principalAttributesRepository" : {
"@class" : "org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"authorizedToReleaseCredentialPassword" : false,
"authorizedToReleaseProxyGrantingTicket" : false
},
"accessStrategy" : {
"@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true
}
}
Thanks,
––––––––––––––––––––
David Abney
ITS Web Developer/Programmer
600 West Walnut Street
Danville, Kentucky 40422
From: Travis
Schmidt [mailto:travis....@gmail.com]
Sent: Thursday, August 18, 2016 11:18 AM
To: David Abney <david...@centre.edu>; cas-...@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question
Make sure "CASSSOEnabled On" is set in httpd.conf. If you are using a Service Registry in CAS, make sure the Logout Channel is enabled and set to BACK_CHANNEL. This is working for me, but I don't have a proxy in the middle either.
Travis Schmidt
David Abney
Travis,
I will look at the debugging logs and see if I can find out more about the logout problem.
Thanks,
––––––––––––––––––––
David Abney
ITS Web Developer/Programmer
600 West Walnut Street
Danville, Kentucky 40422
From: Travis
Schmidt [mailto:travis....@gmail.com]
Sent: Thursday, August 18, 2016 2:48 PM
To: David Abney <david...@centre.edu>; cas-...@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question
I think what is happening is that CAS uses the proxy host to create the logout url. You can put logs in debug mode and then see the actual url that is trying to call to logout. CAS also needs the cert for the host it will call in its truststore to be able to make the call for logout. My guess is that either the proxy is not set up to forward the logout end point to the apache server, or CAS cannot establish trust with the proxy.
From: Travis Schmidt [mailto:travis....@gmail.com]
Sent: Thursday, August 18, 2016 11:18 AM
To: David Abney <david...@centre.edu>; cas-...@apereo.org
Subject: Re: [cas-user] Mod_auth_cas Logout Question
Make sure "CASSSOEnabled On" is set in httpd.conf. If you are using a Service Registry in CAS, make sure the Logout Channel is enabled and set to BACK_CHANNEL. This is working for me, but I don't have a proxy in the middle either.
On Thu, Aug 18, 2016 at 7:20 AM David Abney <david...@centre.edu> wrote:
I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut system using CAS v4.2. We can set a logout URL in PaperCut, which is set to the CAS server logout URL. So, when I logout of PaperCut, it appears I am logged out of PaperCut and CAS, but if I go back to the proxy server then mod_auth_cas still logs me back into PaperCut without redirecting me to CAS to login again.
Is there a way to logout of my session with mod_auth_cas or clear my mod_auth_cas cookie?
Thanks,
––––––––––––––––––––
David Abney
ITS Web Developer/Programmer
600 West Walnut Street
Danville, Kentucky 40422
David Abney
While looking at the logs for mod_auth_cas, I couldn’t find what was causing the logout problems for me. So, I followed Neil’s approach and created an custom logout file and I put the file on our CAS server. The jsp file removes the mod_auth_cas cookie and redirects the user back to the regular CAS logout url. Setting the Papercut logout URL to this custom file seems to be doing the trick.
This is what the jsp file looks like:
<%
Cookie[] cookies = request.getCookies();
for (int i = 0; i < cookies.length; i++) {
if(cookies[i].getName().equals("MOD_AUTH_CAS_S") || cookies[i].getName().equals("MOD_AUTH_CAS")) {
cookies[i].setMaxAge(0);
cookies[i].setPath("/");
response.addCookie(cookies[i]);
}
}
response.sendRedirect("my_cas_server_logout_url");
%>
––––––––––––––––––––
David Abney
ITS Web Developer/Programmer
600 West Walnut Street
Danville, Kentucky 40422
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/913462053b914216ab003ba771d6d07f%40Exchange-MB2.centre.edu.