SAML SP logout

[Arkady Keppert]

I set up the CAS 6.5.2 cluster based on:

https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html

Everything works nicely outside of the SAML2 SOL services, if I log out of the SAML2 service then the ticket is nicely destroyed and im logged out from all applications, but if I log out of my other services I get the information that:
CAS.log
2022-06-27 09: 34: 21,784 WARN [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceMessageHandler] - <No (successful) logout response received from the url [https: // sp .uek.krakow.pl / Shibboleth.sso / SLO / POST]>
2022-06-27 09: 34: 21,784 WARN [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Logout message is not sent to [AbstractWebApplicationService (id = https: //sp.uek.krakow.pl/shibboleth , originalUrl = https: //sp.uek.krakow.pl/shibboleth, artifactId = null, principal = kepperta, source = service, loggedOutAlready = false, format = XML, attributes = {entityId = [https: //sp.uek .krakow.pl / shibboleth]})]; Continuing processing ...>

SAML SP log:
2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: processing front channel logout request with no active session
2022-06-27 03:34:21 INFO Shibboleth.SessionCache [11] [default]: request to logout sessions from (https://sso-test.uek.krakow.pl/cas/idp) for (kepperta)
2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: client's session isn't available, skipping front-channel notifications
2022-06-27 03:34:21 ERROR Shibboleth.Logout [11] [default]: no sessions supplied to back channel notification method

When logging in to Shibboleth, a session is created that CAS knows nothing about and when logging out of another service, this session is not transferred to SAML SP, as I wrote earlier, if you logout directly in Shibboleth then SOL works and I am logged out of other services. I tested it on my SAML SP and via the website: https://samltest.id/ or both solutions are based on Shibboleth

Has anyone had similar problems and knows how to solve it?

[Ray Bon]

Arkady,

These cas loggers may provide some additional information

        <!-- DEBUG outbound and inbound headers and response -->

        <AsyncLogger name="org.apache.http.headers" level="warn" />

        <!-- DEBUG outbound and inbound headers and response as it is sent -->

        <AsyncLogger name="org.apache.http.wire" level="warn" />

Ray

On Mon, 2022-06-27 at 00:52 -0700, Arkady Keppert wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Arkady Keppert]

I tried it but it still doesn't tell me anything. I got some additional logs maybe someone clould help me ? Correct logout out of shibboleth is posible when i go to https://sp.uek.krakow.pl/Shibboleth.sso/Logout, then shibboleth send information about it to cas and cas destroy ticket then im logout out of other services

[Ray Bon]

Arkady,

The communication between the two servers looks correct. Cas is sending the logout request (you can decode the SAMLRequest at https://www.samltool.com/decode.php but most of the message is encrypted).

How are shib sessions being stored?

If with a cookie (which I think is the default), then back channel logout will not work. You can try front channel logout (set in the cas service definition) or change the shib session store to be on the server (db, etc).

The logout from shib works when it is initiated from the service. The service destroys the session, _then_ send the logout request to cas, cas then processes all sessions it knows about (including the shib one, but it is already destroyed).

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Ray Bon]

Arkady,

Is it possible that the shib SP (or the application) is not configured for SLO?

Ray

P.S. Single log out is not what you think it is and it will never do what you want.

On Thu, 2022-06-30 at 02:44 -0700, Arkady Keppert wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Not very familiar with the shibboleth configuration, I used this article:
https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html
But the configuration is basic so the sessions are probably stored in cookies. But it is similar with https://samltest.id/start-idp-test/ and it does not work there either, and I would like to be sure that users are logged out of all websites to which they logged in. I tried with FRONT_CHANNEL logoutType but in Shibboleth logs only this appears:

2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (default / SLO / POST)
2022-06-30 05:02:16 DEBUG OpenSAML.MessageDecoder.SAML2POST [3] [default]: validating input
2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (find :: StorageService :: SessionCache)
6/30/2022 05:02:42 INFO XMLTooling.StorageService: purged 1 expired record (s) from storage

CAS logs nothing about it

The user that wanna logout gets information that:
"Logout notification could not be sent"  https://sp.uek.krakow.pl/shibboleth
For security reasons, close the browser.

If understand correctly:

https://apereo.github.io/cas/6.5.x/installation/Logout-Single-Signout.html#sso-session-vs-application-session

CAS knows nothing about the session. CAS just sends a logout command and Shibboleth waits for the user's session, if not there it states that there is nothing to do. I understand that if someone wants to use our idp, he will have to take the session issues on himself and give us the option of logging out the user without a session cookie ?

[Arkady Keppert]

Not very familiar with the shibboleth configuration, I used this article:
https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html
But the configuration is basic so the sessions are probably stored in cookies. But it is similar with https://samltest.id/start-idp-test/ and it does not work there either, and I would like to be sure that users are logged out of all websites to which they logged in. I tried with FRONT_CHANNEL logoutType but in Shibboleth logs only this appears:

2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (default / SLO / POST)
2022-06-30 05:02:16 DEBUG OpenSAML.MessageDecoder.SAML2POST [3] [default]: validating input
2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (find :: StorageService :: SessionCache)
6/30/2022 05:02:42 INFO XMLTooling.StorageService: purged 1 expired record (s) from storage

CAS logs nothing about it

The user that wanna logout gets information that:
"Logout notification could not be sent"  https://sp.uek.krakow.pl/shibboleth
For security reasons, close the browser.

If understand correctly:

https://apereo.github.io/cas/6.5.x/installation/Logout-Single-Signout.html#sso-session-vs-application-session

CAS knows nothing about the session. CAS just sends a logout command and Shibboleth waits for the user's session, if not there it states that there is nothing to do. I understand that if someone wants to use our idp, he will have to take the session issues on himself and give us the option of logging out the user without a session cookie ?