Hi Ganesh,
Sorry for the late reply.
I have checked logs as well, it seems like CAS is not connecting with OKTA at the time of logout.
log details:
2018-09-04 17:29:21,173 DEBUG [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] - <Service [AbstractRegisteredService(serviceId=^https://.*, name=HTTPS, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=10000001, description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols., expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=10000, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=
https://localhost:8443/cas/logout, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not a SAML service, or its logout url could not be determined>
2018-09-04 17:29:21,401 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=
https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=
us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=
https://localhost:8443/cas/logout)] created for [AbstractWebApplicationService(id=
https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=
us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={})] and ticket id [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
2018-09-04 17:29:21,402 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=
https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, principal=
us...@company.com, source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=
https://localhost:8443/cas/logout)]>
2018-09-04 17:29:21,478 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" IssueInstant="2018-09-04T17:29:21Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]>
2018-09-04 17:29:21,485 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=
https://localhost:8443/cas/logout, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, responseCode=0, asynchronous=true, contentType=application/x-www-form-urlencoded)]. Sending...>
2018-09-04 17:29:21,558 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were processed>
I have gone through the CAS codebase, as per my understanding, CAS is not getting some SAML metadata for a given SP for logout.
I have added "SamlRegisteredService" service registry for the same but no luck.
service registry:
{
"@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService",
"name" : "SAMLService",
"id" : 10000003,
"evaluationOrder" : 10,
}
Also, I have added logoutType and logoutUrl in HTTPSandIMAPS-10000001.json registry file as below,
"logoutType": "BACK_CHANNEL",
Is there anything missing?
Thanks,
Sarika D.