Unable to create SAMLRequest during logout in delegated authentication with azure ad
72 views
Skip to first unread message
yogesh
Aug 10, 2024, 2:15:49 PM8/10/24
to CAS Community
Hi everyone,
I am using CAS 6.6.15 server in delegated authentication with Microsoft Azure AD via SAML 2.
I have added cas-server-support-pac4j-webflow and cas-server-support-pac4j-api these dependencies in the pom.xml.
Below are the properties I have added in cas.properties file.
cas.authn.pac4j.saml[0].identity-provider-metadata-path=/etc/cas/saml/idp-metadata.xml
cas.authn.pac4j.saml[0].keystore-password=changeit
cas.authn.pac4j.saml[0].keystore-path=/etc/cas/selfsigned.jks
cas.authn.pac4j.saml[0].private-key-password=changeit
cas.authn.pac4j.saml[0].service-provider-entity-id=https://{cas-server-ip}:8443/cas/samlsp
cas.authn.pac4j.saml[0].service-provider-metadata-path=/etc/cas/saml/samlSpMetadata.xml
cas.authn.pac4j.saml[0].use-name-qualifier=false
cas.authn.pac4j.saml[0].client-name=SAML2Client2776
cas.logout.redirect-url=https://login.microsoft.com/{azure-application-id}/saml2
cas.authn.pac4j.saml[0].keystore-password=changeit
cas.authn.pac4j.saml[0].keystore-path=/etc/cas/selfsigned.jks
cas.authn.pac4j.saml[0].private-key-password=changeit
cas.authn.pac4j.saml[0].service-provider-entity-id=https://{cas-server-ip}:8443/cas/samlsp
cas.authn.pac4j.saml[0].service-provider-metadata-path=/etc/cas/saml/samlSpMetadata.xml
cas.authn.pac4j.saml[0].use-name-qualifier=false
cas.authn.pac4j.saml[0].client-name=SAML2Client2776
cas.logout.redirect-url=https://login.microsoft.com/{azure-application-id}/saml2
I have imported the Microsoft Entra Id registered application's Base64 encoded certificate in the keystore that I am using and also added idp-metadata.xml path in cas.properties file.
I am able to successfully login to the cas application via delegated authentication but during logout I am facing some issue.
When I click link on casSuccessView page, it redirects to Microsoft logout URL mentioned in property cas.logout.redirect-url but shows error "SAMLRequest or SAMLResponse must be present as query string parameter in HTTP request for SAML redirect binding."
I logs I could see there is one message something like "No Logout Action is triggered".
Also I noticed one things that, in cookies there are two TGC cookies are created one is already in expired state. Is that causing the issue? If I am not wrong this two cookie issue is resolved in CAS version 7.
Error Screenshot:
Thank you in advance.
Please help we are stuck with this issue for quite few months time.
Ray Bon
Aug 25, 2024, 12:33:30 PM8/25/24
to cas-...@apereo.org
Use a browser plugin like SAML Tracer to see what is being sent in the log out request.
Also check when and which cookies are being created / sent. If the expired TGC is being used, that will create problems.
Expired cookies should be removed by the browser.
Does this behaviour happen in all browsers?
Ray
On Sat, 2024-08-10 at 10:13 -0700, yogesh wrote:
Reply all
Reply to author
Forward
0 new messages