SLO not working.

[Neha Gupta]

Hello CAS Team,

I have integrated Wordpress site with CAS and i am using WPCassify plugin for the same.

Now i have another ASP application and integrated it with CAS through DotNetCasClient.

Now my Single SignOn is working fine with both the applications i.e if i login in my wordpress website and go to ASP application then i got automatically logged into my ASP application but when i logged out from any of the application then i am not logged out from the other application.

Attached are the traces of CAS and it seems that CAS is creating some logout request and finally unable to remove the tickets. I don't have any idea how to proceed further.

Request you to please help me out

Thanks in advance.

Regards

Neha Gupta

[Ray Bon]

Neha,

The log says '[2] logout requests were processed'. Perhaps it is your clients that are not processing the CAS logout correctly. You can go to /cas/logout in a new tab, CAS log should look the same but are you logged out of your apps?

As for the tickets being removed, it could be your ticket store is returning confusing response or that the ST was removed already (when it was validated).

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Neha Gupta]

Hello Ray,

Firing /cas/logout does not log out the applications and the traces looks same.

Below is the Logout function present in the ASP application: -

 public void CasLogOff()

        {

            FormsAuthentication.SignOut();

            DotNetCasClient.CasAuthentication.SingleSignOut();

        }

and below is the service registry in CAS: -

{

  "@class" : "org.apereo.cas.services.RegexRegisteredService",

  "serviceId" : "https://idiv-dev1:3556/.*",

  "name" : "BEXIS",

  "id" : 10000002,

  "description" : "This authorizes the BEXIS service.",

   "logoutUrl" : "https://idiv-dev1:3556/Account/CasLogOff",

  "logoutType" : "BACK_CHANNEL",

  "evaluationOrder" : 10001

}

when i call URL"https://idiv-dev1:3556/Account/CasLogOff" in new tab then i am logged out from CAS as well ASP application as defined in the function but why cas is not able to make single logout.

I am not able to get what is wrong in the configuration.

Regards

Neha Gupta

[Ray Bon]

Neha,

Try to get some debug information from the clients.

Does the request reach from CAS server to client (curl https://idiv-dev1:3556/Account/CasLogOff)?

Put debug statements in CasLogOff method.

Check your certificates. Your clients trust CAS (login works) but for logout, CAS needs to trust your clients.

Ray

[N&S Technical Channel NS]

Hello Ray,

Thanks for the update.

I tried adding below configuration in the "cas.properties" file: -

cas.httpClient.connectionTimeout=5000

cas.httpClient.asyncTimeout=5000

cas.httpClient.readTimeout=5000

cas.httpClient.truststore.psw=changeit

cas.httpClient.truststore.file="C:\Users\Administrator.IDIV-DEV1\.keystore"

where this keystore contains the certificates of ASP app but still not success. I tried putting logs in the "CasLogOff" function present in the ASP app but  it is not getting hit when /cas/logout is called from a new tab.

Also in CAS traces i have seen below error. May be this can be the reason.

2018-07-26 11:52:36,908 DEBUG [org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction] - <The current client is not a SAML2 client or it cannot be found at all, no logout action will be executed.>

Thanks in advance.

Regards

Neha Gupta

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1532709695.2941.69.camel%40uvic.ca.

[Neha Gupta]

Hello Ray,

Thanks for the update.

I tried adding below configuration in the "cas.properties" file: -

cas.httpClient.connectionTimeout=5000

cas.httpClient.asyncTimeout=5000

cas.httpClient.readTimeout=5000

cas.httpClient.truststore.psw=changeit

cas.httpClient.truststore.file="C:\Users\Administrator.IDIV-DEV1\.keystore"

where this keystore contains the certificates of ASP app but still not success. I tried putting logs in the "CasLogOff" function present in the ASP app but  it is not getting hit when /cas/logout is called from a new tab.

Also in CAS traces i have seen below error. May be this can be the reason.

2018-07-26 11:52:36,908 DEBUG [org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction] - <The current client is not a SAML2 client or it cannot be found at all, no logout action will be executed.>

Thanks in advance

Regards

Neha Gupta

[Ray Bon]

Neha,

The debug message looks like CAS is not sending the logout (are the clients pac4j?).

You have to install the certificate in java keystore. Look into keytool, which comes with java, to install certificates.

Ray

[Neha Gupta]

Hello Ray,

Issue is solved with the ASP application. Now when /cas/logout is called from a new tab, ASP application is also getting logged out. The reason is certificate as stated by you and some configuration in web.config of ASP application. After activating debug traces for "org.apache.http" in "log4j2.xml" came to know about the reason and finally solved.

Also problem is still there with the Wordpress site. SLO is not working for it. The reason for the same is that in return of HTTP POST request for logout is getting response as 302 with other URL in the header field "Location" and CAS is not sending again HTTP POST request. Is there any configuration where we can instruct CAS to send HTTP POST request again in case 302 is received. I am using WP Cassify plugin for integrating Wordpress site with CAS.

Thanks a lot for all your support.

Regards

Neha Gupta

[Ray Bon]

Neha,

By default CAS will send the logout to the URL that was used for login. If Wordpress has a different URL, you can set that in the service definition, https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html#slo-requests

Ray

[Neha Gupta]

Hello Ray,

Thanks for the update.

I have already configured "LogoutUrl" in the service registry but the problem is that in response i am receiving 302 error with the other URL in the "Location" header.

When i fire the same logout URL from a new tab then i got logged out from the wordpress site but when it  is done through CAS it is not and reason for the same is that CAS just fires HTTP POST request once and not again and again when 302 error is received.

So just want to know whether is there any configuration available in CAS by which we can redirect CAS to fire HTTP POST this number of times? or how this can be done.

Thanks and Wish you a nice weekend ahead.

Regards

Neha Gupta

[Ray Bon]

Neha,

Is it possible that LogoutUrl is protected by CAS? (That is, can you access LogoutUrl without being logged in?)

Our word press expert is away until at least Tuesday so I will ask how logout is set up then.

Ray

[Neha Gupta]

Hello Ray,

Thanks a lot for reply.

Yes i am able to access the logoutUrl without being logged-in.

May be we wait for the wordpress expert and his advice as to what can be done.

Wish you a nice day ahead.

Regards

Neha Gupta

[Ray Bon]

Neha,

Our wordpress uses disk based sessions, a file like 'sess_ST-...'. Logout is performed by deleting these files. I do not see where this file is created in the code. I suspect that it might be part of phpCAS but I have not worked with its session options much.

Maybe there are phpCAS config options for managing the session.

In our Moodle install, I created a map between the Moodle created session id and the ST and stored that in a redis cache. When the logout request comes in, I look for the ST in the cache and kill the associated session.

Ray