CAS-5.1.0: Problem with SAML delegation Single Logout with Okta

Soumya Tripathy

unread,

Jul 27, 2017, 9:17:03 AM7/27/17

to CAS Community

Hi all,

I have implemented the SAML pac4j with the CAS-5.1.0.

My scenario is:

Logout from Okta IdP should logout CAS
Logout from any CAS protected application should logout Okta.

Following are my cas configuration:

CAS SAML Properties:


cas.authn.pac4j.saml[0].keystorePassword=changeit
cas.authn.pac4j.saml[0].privateKeyPassword=changeit
cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/home/user1/cas-test/tomcat_cas/cas-config/sp-metadata.xml
cas.authn.pac4j.saml[0].keystorePath=/home/user1/cas-test/tomcat_cas/cas-config/samlKeystore.jks
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-777290.oktapreview.com/app/exkb41ouu7HJn5aHh0h7/sso/saml/metadata
cas.authn.pac4j.autoRedirect=false

CAS Service Registry Config:

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^(http|https|imaps)://.*",
  "name": "HTTPS and IMAPS",
  "id": 10000001,
  "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",
  "proxyPolicy":
  {
    "@class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
  },
  "evaluationOrder": 10000,
  "usernameAttributeProvider":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider",
    "canonicalizationMode": "NONE",
    "encryptUsername": false
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy":
  {
    "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository":
    {
      "@class": "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository",
      "expiration": 2,
      "timeUnit": "HOURS"
    },
    "authorizedToReleaseCredentialPassword": false,
    "authorizedToReleaseProxyGrantingTicket": false,
    "excludeDefaultAttributes": false
  },
  "multifactorPolicy":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
    "failureMode": "CLOSED",
    "bypassEnabled": false
  },
  "accessStrategy":
  {
    "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled": true,
    "ssoEnabled": true,
    "requireAllAttributes": true,
    "caseInsensitive": false
  }
}

Below is my Okta configuration:

Problem is when I logout from Okta CAS is not receiving any BACK CHANEL logout message from Okta. Also when I'm logging out from CAS Okta is not getting logged out.

Any help will be appreciated.

snaffy

unread,

Dec 20, 2017, 8:18:06 AM12/20/17

to CAS Community

I apologize for refreshing the post but I have exactly the same problem and I can not find a solution or at least something that would direct me. It's been a while since from your post so you may have already found the solution?

sarika deshmukh

unread,

Jul 27, 2018, 5:53:40 AM7/27/18

to CAS Community

We are working with CAS with OKTA integration. But we are facing issues while integration.

We have referred link: https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ for integration.

We followed below steps:

1.Deployed CAS overlay template

2. Configured Okta account for Saml

3.Configure CAS properties for Okta integration

But still, we were unable to connect CAS application with OKTA and facing below issue in CAS logs.

'<No delegated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers for this request.>'

Your help is appreciated in advance.

Thanks,
Sarika D.

Soumya Tripathy

unread,

Jul 29, 2018, 11:46:41 AM7/29/18

to CAS Community, art....@gmail.com

No luck yet.

Soumya Tripathy

unread,

Jul 29, 2018, 11:47:50 AM7/29/18

to CAS Community

Can you post your saml configuration from cas.properties file.

sarika deshmukh

unread,

Jul 30, 2018, 2:58:27 AM7/30/18

to CAS Community

Following are my CAS Configuration properties:

#cas.server.name: https://cas.example.org:8443

#cas.server.prefix: https://cas.example.org:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

logging.config: file:/etc/cas/config/log4j2.xml

authn.pac4j.cas.loginUrl: https://localhost:8443/cas/login

authn.pac4j.saml[0].keystorePassword :changeit

authn.pac4j.saml[0].privateKeyPassword :changeit

authn.pac4j.saml[0].keystorePath : file:/etc/cas/thekeystore

authn.pac4j.saml[0].identityProviderMetadataPath: file :/etc/cas/config/idp-metadata.xml

authn.pac4j.saml[0].serviceProviderEntityId=https://localhost:8443/cas/login?client_name=SAML2Client

authn.pac4j.saml[0].serviceProviderMetadataPath: file :/etc/cas/config/sp_metadata.xml

cas.authn.accept.users:

#cas service registry

cas.serviceRegistry.watcherEnabled:true

cas.serviceRegistry.initFromJson: false

cas.serviceRegistry.json.location: file:/etc/cas/services

Soumya Tripathy

unread,

Jul 31, 2018, 2:36:10 AM7/31/18

to CAS Community

Make sure

authn.pac4j.saml[0].serviceProviderEntityId.serviceProviderEntityId value is same as that configured in Audience URI (SP Entity ID) in Okta SAML Application.

If you are making any change in Okta SAML application make sure to download the idp-metadata.xml and remove the existing sp_metadata.xml and thekeystore from the server.

If you are still facing any issue enable debug log in cas and pac4j and share the log file.

sarika deshmukh

unread,

Jul 31, 2018, 2:41:33 AM7/31/18

to CAS Community

CAS with Okta integration is done successfully without any issue. Thanks for all your help.

Reply all

Reply to author

Forward