7.1.x Delegated authentication SLO issue

157 views
Skip to first unread message

Wilson Goh

unread,
Jan 13, 2025, 11:32:38 AM1/13/25
to CAS Community
Hi,

I am trying to implement delegated authentication to Microsoft Entra (AAD) with SAML2.
Currently I have successfully implemented login from SP -> CAS -> Entra. However, I am encountering issues with logout.

SP uses SAML to communicate with CAS and CAS uses SAML to communicate with Entra.
When I initiate logout from SP , it will POST /idp/profile/SAML2/POST/SLO with a LogoutRequest to CAS. CAS will then handle the request and sends a LogoutRequest to Entra. 
However, the issue I'm having is that the end page ends at {cas}/logout?service=. It does not redirect back to the SP's callback.

Is there anyway i can redirect back to SP's callback?

config:

cas.authn.saml-idp.core.entity-id=https://{cas}/idp
cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml/saml-idp
 
cas.authn.pac4j.saml[0].client-name=entra
cas.authn.pac4j.saml[0].service-provider-entity-id=https://{cas}/cas
cas.authn.pac4j.saml[0].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
cas.authn.pac4j.saml[0].keystore-path={keystore}
cas.authn.pac4j.saml[0].keystore-password=changeit
cas.authn.pac4j.saml[0].private-key-password=changeit
cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path={entra-metdata}
cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location={cas-sp-metadata}
cas.authn.pac4j.saml[0].wants-responses-signed=true
cas.authn.pac4j.saml[0].use-name-qualifier=false
cas.authn.pac4j.saml[0].sign-service-provider-logout-request=true

Ray Bon

unread,
Jan 13, 2025, 10:18:45 PM1/13/25
to cas-...@apereo.org
Wilson,

Docs mention 
cas.logout.follow-service-redirects
which is false by default.

Set it to true.


Ray

On Mon, 2025-01-13 at 02:17 -0800, Wilson Goh wrote:
You don't often get email from mr9fo...@gmail.com. Learn why this is important

Wilson Goh

unread,
Jan 14, 2025, 12:50:21 AM1/14/25
to CAS Community, Ray Bon
Hi Ray,

I have already set cas.logout.follow-service-redirects=true. To my understanding this property only works if the client is triggering a logout using the CAS protocol (/logout endpoint) with a service= parameter.  As my client is using SAML2, It is triggering via /idp/profile/SAML2/POST/SLO endpoint which doesn't accept the service= parameter

Thanks, Wilson

Reply all
Reply to author
Forward
0 new messages