CAS 7.X SLO delegated authn to another CAS
37 views
Skip to first unread message
Nathan Cailbourdin
Oct 31, 2024, 10:44:42 PM10/31/24
to CAS Community
Hello,
I am trying to set up delegated authentication from one CAS server (Server A) to another CAS server (Server B). I've configured Server A as follows:
cas.authn.pac4j.cas[0].login-url=https://XXX/cas/login
cas.authn.pac4j.cas[0].client-name=YYY
Authentication is working as expected; however, logout from Server B does not propagate to Server A.
The request is correctly sent from Server B, and Server A does receive the request, but nothing happens. See the log below :
DEBUG [org.apereo.cas.web.flow.controller.DefaultDelegatedAuthenticationNavigationController] - <Received response from client [YYY]; Redirecting to [https://XXX/cas/login?logoutRequest=%3Csamlp%3ALogoutRequest%20xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22%20ID%3D%22LR-8-omIAtA5lXQ55udVglHsFI2k2%22%20Version%3D%222.0%22%20IssueInstant%3D%222024-10-24T16%3A24%3A35Z%22%3E%3Csaml%3ANameID%20xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3EFUNIQUEID%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-8-****************j62G72M-XXX%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E&client_name=YYY]>
I also tried manually sending the request, but once again, the CAS session is not destroyed.
Did I miss a configuration step? Is CAS able to act as a client in this scenario? Since it needs to receive the SLO (Single Logout) request from Server B and destroy its own session.
Thanks.
Best regards,
Nathan
I am trying to set up delegated authentication from one CAS server (Server A) to another CAS server (Server B). I've configured Server A as follows:
cas.authn.pac4j.cas[0].login-url=https://XXX/cas/login
cas.authn.pac4j.cas[0].client-name=YYY
Authentication is working as expected; however, logout from Server B does not propagate to Server A.
The request is correctly sent from Server B, and Server A does receive the request, but nothing happens. See the log below :
DEBUG [org.apereo.cas.web.flow.controller.DefaultDelegatedAuthenticationNavigationController] - <Received response from client [YYY]; Redirecting to [https://XXX/cas/login?logoutRequest=%3Csamlp%3ALogoutRequest%20xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22%20ID%3D%22LR-8-omIAtA5lXQ55udVglHsFI2k2%22%20Version%3D%222.0%22%20IssueInstant%3D%222024-10-24T16%3A24%3A35Z%22%3E%3Csaml%3ANameID%20xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3EFUNIQUEID%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-8-****************j62G72M-XXX%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E&client_name=YYY]>
I also tried manually sending the request, but once again, the CAS session is not destroyed.
Did I miss a configuration step? Is CAS able to act as a client in this scenario? Since it needs to receive the SLO (Single Logout) request from Server B and destroy its own session.
Thanks.
Best regards,
Nathan
Ray Bon
Oct 31, 2024, 11:25:56 PM10/31/24
to cas-...@apereo.org
Nathan,
You may be able to accomplish this with front channel logout or setting TGT policies.
Ray
On Thu, 2024-10-31 at 10:58 -0700, Nathan Cailbourdin wrote:
Reply all
Reply to author
Forward
0 new messages