CAS 7.1.4 - Delegated Authentication - Issue with SLO initiated by the IDP

[Camille ALBERT]

Hi folks,

We use CAS 7.1.4 and try to implement delegated authentication to another CAS server (this one is in version 6.6.15.2).

Login is working fine : SP -> CAS 7.1.4 -> CAS 6.6.15.2, SP uses OIDC to communicate with CAS 7.1.4 and CAS 7.1.4 uses CAS 3.0 to communicate with CAS 6.6.15.2.

Logout is working fine too when it is initiated by SP, user is disconnected from CAS 7.1.4 and then is redirected on CAS 6.6.15.2 logout url.

Our issue is when logout is initiated by the IDP, CAS 6.6.15.2 here. In the CAS 6.6.15.2 logs we can see that a backchannel logout request is sent to CAS 7.1.4 :

• It's a POST request
• url is something like https://<cas_7_1_4_url>/login/<client_name> (<client_name> value is the CAS 6.6.15.2 client code in CAS 7.1.4)
• there is a logoutRequest param with an url encoded xml logoutRequest as value (with CAS 3.0 service ticket id as SessionIndex attribute)

In the CAS 7.1.4 logs we see nothing, but in CAS 6.6.15.2 logs we can see that CAS 7.1.4 answers to the logout request with a 302 redirect response with location https://<cas_7_1_4_url>/login?logoutRequest=<xml_encoded_logout_request>&client_name=<client_name>. This redirect is not followed by the http client used by CAS 6.6.15.2.

We initally thought that DelegatedClientAuthenticationAction, DelegatedAuthenticationIdentityProviderLogoutAction and/or DelegatedAuthenticationIdentityProviderFinalizeLogoutAction would have log something in CAS 7.1.4 logs, but even in trace mode there is nothing.

We found this PR https://github.com/apereo/cas/pull/5593 which is related to our subject. At the end of the discussion Misagh says that IDP initiated SLO has been implemented for SAML but not yet for OIDC nor CAS protocols. Is it still the case ?

If IDP initiated SLO is implemented for all protocols, do you have any idea why it does not work in our case ? Any idea why CAS 6.6.15.2 backchannel logout POST request is not well understood by CAS 7.1.4 which answers with a 302 redirect ?

Many thanks for you help, we really appreciate it.

Camille

[Jérôme LELEU]

Hi,

The problem with a back channel call is that the CAS (SSO session) cookie is not transmitted with the logout request so this requires to track the authentication request by an identifier and reuse the same identifier passed during the logout to be able to find back the SSO session and explicitly removes it.

This has been done for SAML via the DelegatedSaml2ClientLogoutAction component and for OIDC via the DelegatedClientOidcLogoutAction component.

But it's not done for the CAS protocol.

As a workaround, you can use a front channel logout call.

Thanks.

Best regards,

Jérôme

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bb237f0-c1a4-4fa2-bdb9-8a9fbb068453n%40apereo.org.

[Camille ALBERT]

Hi Jérôme,

Thank you very much for your help.

We will give a try to the front-channel logout.

If we had a DelegatedCasClientLogoutAction component like we have for SAML and OIDC with DelegatedSaml2ClientLogoutAction and DelegatedClientOidcLogoutAction components, do you think it would change something about CAS answering with a 302 redirect to the logout request ?

Thanks again for your time.

--

Cordialement,

Camille-Olivier ALBERT Architecte Produit et SAAS / Product & SAAS Architect Tél. :+33 (0) 2 40 20 47 95 - 8 rue Kervégan 44000 Nantes - France

www.kosmos-education.com

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw0uLROQbpe7e8Fr4LwfSVJ1ykSNk-57%3D3XsMKrJaWsgA%40mail.gmail.com.

[Jérôme LELEU]

Hi,

To know why you get a 302, you should enable the DEBUG logs on the org.apereo.cas package to get a better understanding of what's going on inside CAS for that use case?

Thanks.

Best regards,

Jérôme

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAK57mGdvYB1KevqJHciBKmEhu8iR8GBCxCnc9p7Ui4f_1WUgyQ%40mail.gmail.com.

[Camille ALBERT]

Hi Jérôme,

We'll do that.

Thank you again !

--

Best regards,

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LwA_cPnpNOZkMMyO0%3DAF9Vw5OmOQkubvs6oi3AXC4PWhQ%40mail.gmail.com.