Re: [cas-user] Not a logout request

[Ray Bon]

Baso,

Add some of your own debug statements to CASphp where it processes the log out request.

Ray

On Sat, 2019-04-06 at 10:17 -0700, Baso Dupond wrote:

Hi,

The Single Log Out is not working on my basic implementation 

I obtain a "Not a logout request" in the Cas-client Log

0A53 .START (2019-04-06 16:15:42) phpCAS-1.3.6 ****************** [CAS.php:468]
0A53 .=> phpCAS::client('3.0', 'cas.xxxxxxxxxx.fr', 443, '/cas') [AppService.php:275]
0A53 .|    => CAS_Client::__construct('3.0', false, 'cas.xxxxxxxxxxxxx.fr', 443, '/cas', true) [CAS.php:359]
0A53 .|    |    Session is not authenticated [Client.php:938]
0A53 .|    <= ''
0A53 .<= ''
0A53 .=> CAS_Client::handleLogoutRequests(true, array (  0 => '51.68.xx.xx',)) [CAS.php:1276]
0A53 .|    Not a logout request [Client.php:1739]
0A53 .<= ''

The CAS log show that logout request is sent

2019-04-06 18:15:10,832 DEBUG [org.apereo.cas.logout.slo.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [http://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login] for service [AbstractWebApplicationService(id=https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, originalUrl=https://extranet.x.fr/cloud/index.pxxxxxxxxxxxxxxhp/apps/user_cas/login, artifactId=null, principal=basil...@xxxxx.fr, source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-04-06 18:15:10,833 DEBUG [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Prepared logout url [[org.apereo.cas.logout.slo.SingleLogoutUrl@ae1f72ee]] for service [AbstractWebApplicationService(id=https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, originalUrl=https://extranet.xxxxxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, artifactId=null, principal=basil...@xxxxxxxxxxxxxx.fr, source=service, loggedOutAlready=false, format=XML, attributes={})]>
2019-04-06 18:15:10,835 DEBUG [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=http://extranet.xxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-2-hTkl0dF8f4XPX9-8aeQoJIZY%22+Version%3D%222.0%22+IssueInstant%3D%222019-04-06T18%3A15%3A10Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3Ebasile.test%xxxxxxxxxx.fr%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-2-zcTYW858ldyFLPeC9MZ2gL-fGoMvps641230%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, asynchronous=true, responseCode=0, contentType=application/x-www-form-urlencoded)]. Sending...>
2019-04-06 18:15:10,835 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST http://extranet.xxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login HTTP/1.1]>
2019-04-06 18:15:10,850 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[2] logout requests were processed>

TCPDump on the CAS clien shows that the cas client receives the logout Request

51.68.xx.xx.38168 > 37.187.xx.xx.http: Flags [P.], cksum 0x8209 (correct), seq 0:754, ack 1, win 229, options [nop,nop,TS val 2263944706 ecr 768689247], length 754: HTTP, length: 754
        POST /cloud/index.php/apps/user_cas/login HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 484
        Host: extranet.xxxxxxxxxxx.fr
        Connection: Keep-Alive
        User-Agent: Apache-HttpClient/4.5.6 (Java/11.0.2)
        Accept-Encoding: gzip,deflate
        logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-2-hTkl0dF8f4XPX9-8aeQoJIZY%22+Version%3D%222.0%22+IssueInstant%3D%222019-04-06T18%3A15%3A10Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3Ebasile.test%40xxxxxxxx.fr%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-2-zcTYW858ldyFLPeC9MZ2gL-fGoMvps641230%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E[!http]
18:15:14.642363 IP (tos 0x0, ttl 56, id 61227, offset 0, flags [DF], proto TCP (6), length 52)
    51.68.70.46.38168 > 37.187.19.72.http: Flags [.], cksum 0x5c2a (correct), seq 754, ack 656, win 239, options [nop,nop,TS val 2263944707 ecr 768689248], length 0

Is there something wrong in the logoutRequest format ?

Thanks,

Rgds

Baso

[Baso Dupond]

Hi,

After investigations, it seems that it's an issue on the CAS Client side (owncloud CAS client)

CAS Client response to the SLO BACK_CHANNEL resquest is 405 Method not allowed

[09/Apr/2019:00:05:57 +0200] "POST /cloud/index.php/apps/user_cas/login HTTP/1.1" 405 - "-" "Apache-HttpClient/4.5.6 (Java/11.0.2)"

 

There is indeed not POST route in the Owncloud CAS client

$application->registerRoutes($this, array(
    'routes' => [
        array('name' => 'settings#saveSettings', 'url' => '/settings/save', 'verb' => 'POST'),
        array('name' => 'authentication#casLogin', 'url' => '/login', 'verb' => 'GET')
    ]
));

In order to have SLO with Owncloud CAS client, I believe some tunning has to be made on the CAS client.

Thanks for your help

Baso