How to get SLO to work in CAS 5?

1,377 views
Skip to first unread message

paul li

unread,
Apr 1, 2018, 6:21:23 PM4/1/18
to CAS Community

Hi

 

My team is working with CAS (5.2.3) and delegated SAML authentication via pac4j libraries. What we have so far:

1.      3 separate services, each is configured through spring to authenticate with CAS.

2.      CAS is configured to delegate authentication to SAML IDP via cas.properties config

3.      We extended the ClientAuthenticationHandler with small changes and registered it through a @Configuration class.

 

With this basic setup, we are able to get the SSO to work correctly across the services, against okta sample IDP, with a flow similar to this:

SP -> CAS -> Delegate Authentication -> Redirect to IDP -> Input credentials -> IDP returns SAML response -> CasAuthenticationFilter finishes the authentication and ST issuing -> System redirects the original ‘service’ url.

 

However, we are trying to get single logout (SLO) to work with the existing framework, we got no luck. 

It appears the system only logging out the local service, but not other services.

 

What we have at the moment:

For each of the service module, we have the following configured:

1. LogoutFilter via spring bean

2. SingleSignOutFilter via web.xml or spring bean

3. SingleSignOutHttpSessionListener in web.xml


Also we have ServiceRegistry json with logoutType: BACK_CHANNEL


spring config

  <http use-expressions="true" entry-point-ref="casAuthenticationEntryPoint">

              <intercept-url pattern="/resources/**" access="permitAll" />

             <intercept-url pattern="/manifest" access="permitAll" method="GET" />

             <intercept-url pattern="/**" access="isAuthenticated()" />

             <!-- enable csrf protection -->

             <csrf disabled="true" />

             <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER" />

             <custom-filter ref="singleLogoutFilter" before="CAS_FILTER" />

             <custom-filter ref="casAuthenticationFilter" after="CAS_FILTER" />

      </http>

 

      <bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"

             p:ignoreInitConfiguration="true" ß-----not sure if we need this

             p:casServerUrlPrefix="${cas.server.app}/" />

           

       <bean id="requestSingleLogoutFilter"       class="org.springframework.security.web.authentication.logout.LogoutFilter"

             p:filterProcessesUrl="/logout/cas/" >

             <constructor-arg value="${cas.server.app}/logout?service=${calendar.client.app}/" />

             <constructor-arg>

                    <bean       class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"></bean>

             </constructor-arg>

      </bean>


In web.xml of each module, we have:

 <listener>

<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
 </listener>

  <filter-name>CAS Single Sign Out Filter</filter-name>  

    <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class

  </filter>

  <filter-mapping>  

       <filter-name>CAS Single Sign Out Filter</filter-name>  

    <url-pattern>/*</url-pattern>

  </filter-mapping>


service registry:

{

  "@class": "org.apereo.cas.services.RegexRegisteredService",

  "serviceId": "^(http|https|imaps)://.*",

  "name": "HTTPS and IMAPS",

  "id": 10000001,

  "description": "This service definition authorizes all application urls that support HTTPS and IMAPS protocols.",

  "evaluationOrder": 1,

  "logoutType" : "BACK_CHANNEL",

….



Problem:

When we issue a logout via: https://localhost:8443/platformadmin/logout/cas/ , we see the LogoutFilter is triggered and in doFilter() session is invalidated.

SingleSignOutHttpSessionListener#sessionDestroy() is immediately triggered after.


Then SingleLogoutFilter is triggered, in which SingleSignoutHandler#process(..) method, BACK_CHANNEL logout is triggered.

In the console log however, I only see the ST of the current service (platformadmin) is destroyed.


If we access any modules other than platformadmin, we are directed to the app automatically.

It seems we are only logged out of the current service modules (local logout), but didn’t logout from the other service modules.


What configuration are we missing? I see posts in this group where they have SLO working, 

We'd much appreciate if someone could provide a summary of their configuration.


Please let us know if you have any advices


Thanks!

Man H

unread,
Apr 2, 2018, 7:12:05 AM4/2/18
to cas-...@apereo.org
Try 

(Cas-server)/cas/logout



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/43525944-da4f-4891-ae95-3f81eb7f07c0%40apereo.org.

paul li

unread,
Apr 3, 2018, 11:52:08 AM4/3/18
to CAS Community
Update on the SLO issue we are having.
The SLO is working correctly if we don't delegate to SAML authentication.

If user is signed in from an external IDP via SAML authentication (we are using okta apps at the moment), 
the the logout action (/logout, or logout/cas/) invalidate the sessions, but does not logout the user from the IDP. (SLO flag on the IDP is enabled)

User just need to click a button on the CAS default login page (loginform.html) again, and automatically redirected into the app.

We traced our code, and and on logout, we saw in org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction.java
following code is executed: 
@Override
    protected Event doExecute(final RequestContext requestContext) {
        try {
            final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
            final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
            final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request, response);


            Client<?, ?> client;
            try {
                final String currentClientName = findCurrentClientName(context); //<-----------this is returning null, but we are overwriting this value in debug mode at the moment. likely something missed in the sso authentication flow.
                client = (currentClientName == null) ? null : clients.findClient(currentClientName); //<-----------client is retrieved correctly
            } catch(final TechnicalException e) {
                // this exception indicates that the SAML2Client is not in the list
                LOGGER.debug("No SAML2 client found");
                client = null;
            }


            // Call logout on SAML2 clients only
            if (client instanceof SAML2Client) {
                final SAML2Client saml2Client = (SAML2Client) client;
                LOGGER.debug("Located SAML2 client [{}]", saml2Client);
                final RedirectAction action = saml2Client.getLogoutAction(context, null, null); //<-----------we see the correct slo url is generated here in the format https://<okta samlapp url>/slo/saml?SAMLRequest=....
                LOGGER.debug("Preparing logout message to send is [{}]", action.getLocation());
                action.perform(context); //<-----------this is executed without exception
            } else {
                LOGGER.debug("The current client is not a SAML2 client or it cannot be found at all, no logout action will be executed.");
            }
        } catch (final Exception e) {
            LOGGER.warn(e.getMessage(), e);
        }
        return null;
    }

but after this code is finished, we accessed the okta IDP and user is still signed in...even though on the CAS side, user is directed to the CAS login page.

We did come across couple of other posts in our investigations, seems to be suggesting that SLO for SAML is not fully implemented yet..

Could someone confirm if SLO with SAML is working with CAS 5.2.3 or is there something we are missing...
Thank you very much in advance!

Paul Li


Ray Bon

unread,
Apr 3, 2018, 12:28:56 PM4/3/18
to cas-...@apereo.org
Paul,

Add these to your CAS log to see details about CAS side of logout process:


        <!-- DEBUG service status and logout process and a lot of details -->
        <AsyncLogger name="org.apereo.cas.logout" level="debug" />
        <!-- INFO  Performing logout operations for [TGT-...]
                   [number] logout requests were processed
             DEBUG ST, principal and URL -->
        <AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager" level="debug">
            <Filters>
                <ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="NEUTRAL" />
                <RegexFilter regex="Captured logout request.*" onMismatch="DENY" />
            </Filters>
        </AsyncLogger>
        <!-- DEBUG Logout request will be sent to but does not print anything when login was through SAML 1.1 -->
        <AsyncLogger name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" level="debug" />
        <!-- DEBUG preparing, processing and logout with URL and ST -->
        <AsyncLogger name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" level="debug" />
        <!-- DEBUG SAML logout payload -->
        <AsyncLogger name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" level="debug" />
        <!-- DEBUG Response code from server matched [###] may be useful for debugging proxy
                   Created HTTP post message payload [POST URL] on logout -->
        <AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient" level="debug" />

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
Message has been deleted

Travis Schmidt

unread,
Apr 9, 2018, 11:27:14 AM4/9/18
to cas-...@apereo.org
If you logout directly on the SP does it then logout out of the IdP?  Sounds like maybe it could be setup for only local logout.  We use Shibboleth and have this set in shibboleth2.xml to do both local and SAML logout to the IdP.

 <Logout asynchronous="false" signing="true">SAML2 Local</Logout>

Travis

On Mon, Apr 9, 2018 at 8:19 AM paul li <ziju...@gmail.com> wrote:
Thanks Ray,

Apologizes I went to finish other tasks first, now this logout is pretty much the only piece remaining
Below is the output of a logout action.  we currently have 3 SP modules deployed:
  1. calendar
  2. platformadmin
  3. user-api
After the logout, all 3 modules are logged from their session, but the user is not logged from IDP.
 
2018-04-09 10:48:46,469 DEBUG [org.apereo.cas.util.EncodingUtils] - <Decrypting value...>
2018-04-09 10:48:46,470 DEBUG [org.apereo.cas.web.support.DefaultCasCookieValueManager] - <Decoded cookie value is [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFH...@127.0.0.1@Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36]>
2018-04-09 10:48:46,470 DEBUG [org.apereo.cas.web.flow.TerminateSessionAction] - <Destroying SSO session linked to ticket-granting ticket [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
2018-04-09 10:48:46,470 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Creating new transaction with name [org.apereo.cas.DefaultCentralAuthenticationService.destroyTicketGrantingTicket]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; 'ticketTransactionManager'>
2018-04-09 10:48:46,470 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Removing ticket [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43] from registry...>
2018-04-09 10:48:46,470 DEBUG [org.apereo.cas.DefaultCentralAuthenticationService] - <Ticket found. Processing logout requests and then deleting the ticket...>
2018-04-09 10:48:46,471 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <Performing logout operations for [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]>
2018-04-09 10:48:46,476 DEBUG [org.apereo.cas.logout.DefaultLogoutManager] - <Handling single logout callback for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,476 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Processing logout request for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]...>
2018-04-09 10:48:46,477 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] supports single logout and is found in the registry as [id=1,name=HTTPS and IMAPS,description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols.,serviceId=^(http|https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=<null>,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@6f4230be[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@5c14927e[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@4b8d9d7f[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@4f985406[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@619ec8ca,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@31a14a8b[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@49dea9a3[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]. Proceeding...>
2018-04-09 10:48:46,477 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,477 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,477 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43]>
2018-04-09 10:48:46,497 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [org.apereo.cas.logout.DefaultLogoutRequest@57bb486b[ticketId=ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]] created for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43]>
2018-04-09 10:48:46,497 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]>
2018-04-09 10:48:46,498 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [org.apereo.cas.logout.DefaultLogoutRequest@57bb486b[ticketId=ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@77c7f4eb[id=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
2018-04-09 10:48:46,518 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-LbINYEkWrKUlao1gg1J0gfFG" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>]>
2018-04-09 10:48:46,518 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/] to [https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/]>
2018-04-09 10:48:46,612 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [org.apereo.cas.logout.LogoutHttpMessage@224f39ce[url=https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-LbINYEkWrKUlao1gg1J0gfFG" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded,responseCode=0]]. Sending...>
2018-04-09 10:48:46,625 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://ca-dev-dt43.dev.crosscap.com:8443/calendar/login/cas/ HTTP/1.1]>
2018-04-09 10:48:46,633 DEBUG [org.apereo.cas.logout.DefaultLogoutManager] - <Handling single logout callback for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,633 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Processing logout request for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]...>
2018-04-09 10:48:46,633 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] supports single logout and is found in the registry as [id=1,name=HTTPS and IMAPS,description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols.,serviceId=^(http|https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=<null>,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@6f4230be[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@5c14927e[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@4b8d9d7f[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@4f985406[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@619ec8ca,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@31a14a8b[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@49dea9a3[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]. Proceeding...>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [org.apereo.cas.logout.DefaultLogoutRequest@6dca6c59[ticketId=ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]] created for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [org.apereo.cas.logout.DefaultLogoutRequest@6dca6c59[ticketId=ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@715df035[id=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-2-4dhucG-ZvdihfzLTYzTSiGRk" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/] to [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/]>
2018-04-09 10:48:46,634 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [org.apereo.cas.logout.LogoutHttpMessage@66c728cd[url=https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-2-4dhucG-ZvdihfzLTYzTSiGRk" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded,responseCode=0]]. Sending...>
2018-04-09 10:48:46,636 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/login/cas/ HTTP/1.1]>
2018-04-09 10:48:46,636 DEBUG [org.apereo.cas.logout.DefaultLogoutManager] - <Handling single logout callback for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,636 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Processing logout request for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]...>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] supports single logout and is found in the registry as [id=1,name=HTTPS and IMAPS,description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols.,serviceId=^(http|https|imaps)://.*,usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d,theme=<null>,evaluationOrder=1,logoutType=BACK_CHANNEL,attributeReleasePolicy=org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy@6f4230be[attributeFilter=<null>,principalAttributesRepository=org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository@5c14927e[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticationAttributes=true,authorizedToReleaseProxyGrantingTicket=false,excludeDefaultAttributes=false,principalIdAttribute=<null>,consentPolicy=org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy@4b8d9d7f[excludedAttributes=<null>,includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]],accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy@4f985406[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={},unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejectedAttributes={}],publicKey=<null>,proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@619ec8ca,logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties={},multifactorPolicy=org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy@31a14a8b[multifactorAuthenticationProviders=[],failureMode=NOT_SET,principalAttributeNameTrigger=<null>,principalAttributeValueToMatch=<null>,bypassEnabled=false],informationUrl=<null>,privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy@49dea9a3[deleteWhenExpired=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]. Proceeding...>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/] for service [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]]>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43]>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [org.apereo.cas.logout.DefaultLogoutRequest@6c78b7d1[ticketId=ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]] created for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] and ticket id [ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43]>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]>
2018-04-09 10:48:46,637 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [org.apereo.cas.logout.DefaultLogoutRequest@6c78b7d1[ticketId=ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43,service=org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl@1b58e17f[id=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,originalUrl=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,artifactId=<null>,principal=z...@crosscap.com|crosscapdev,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]>
2018-04-09 10:48:46,638 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-3-GTdAHeNvXTCyjYcI5ZiDRNVI" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>]>
2018-04-09 10:48:46,638 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/] to [https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/]>
2018-04-09 10:48:46,638 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [org.apereo.cas.logout.LogoutHttpMessage@52eea6a3[url=https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/,message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-3-GTdAHeNvXTCyjYcI5ZiDRNVI" Version="2.0" IssueInstant="2018-04-09T10:48:46Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=true,contentType=application/x-www-form-urlencoded,responseCode=0]]. Sending...>
2018-04-09 10:48:46,639 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://ca-dev-dt43.dev.crosscap.com:8443/user-api/login/cas/ HTTP/1.1]>
2018-04-09 10:48:46,643 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[3] logout requests were processed>
2018-04-09 10:48:46,643 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing children of ticket [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43] from the registry.>
2018-04-09 10:48:46,644 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Unable to remove ticket [ST-3-j8U9yYSWKezbaw9v96O8-EQXYsI-ca-dev-dt43]>
2018-04-09 10:48:46,644 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Unable to remove ticket [ST-1-YDJa9sviT8B4b4arci0kun1fsKY-ca-dev-dt43]>
2018-04-09 10:48:46,644 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Unable to remove ticket [ST-2-DnO-sHlxfAgVZ3fDbfTdZR-1NsI-ca-dev-dt43]>
2018-04-09 10:48:46,645 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Removing ticket [TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43] from the registry.>
2018-04-09 10:48:46,645 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [org.apereo.cas.support.events.ticket.CasTicketGrantingTicketDestroyedEvent@7a5d2ef3[ticketGrantingTicket=TGT-1-rFbC-nomL1ZmEYpjvWvciFTKZ9M1vfOTYNFHDbYyyimzstc98SE9X-1420SX91P-90A-ca-dev-dt43]]>
2018-04-09 10:48:46,647 DEBUG [org.apereo.cas.authentication.PseudoPlatformTransactionManager] - <Initiating transaction commit>
2018-04-09 10:48:46,647 DEBUG [org.apereo.cas.web.flow.TerminateSessionAction] - <Removing CAS cookies>
2018-04-09 10:48:46,647 DEBUG [org.apereo.cas.web.support.TGCCookieRetrievingCookieGenerator] - <Removed cookie with name [TGC]>
2018-04-09 10:48:46,647 DEBUG [org.apereo.cas.web.WarningCookieRetrievingCookieGenerator] - <Removed cookie with name [CASPRIVACY]>
2018-04-09 10:48:46,647 DEBUG [org.apereo.cas.web.flow.TerminateSessionAction] - <Destroying application session>
2018-04-09 10:48:46,681 DEBUG [org.apereo.cas.web.flow.TerminateSessionAction] - <Terminated all CAS sessions successfully.>
2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - <Using parameter name [service] to detect destination service, if any>
2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - <Located target service [service] for redirection after logout>
2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - <Redirecting to service [https://ca-dev-dt43.dev.crosscap.com:8443/platformadmin/]>
2018-04-09 10:48:46,689 DEBUG [org.apereo.cas.web.flow.LogoutAction] - <Moving forward to finish the logout process>
2018-04-09 10:48:46,693 DEBUG [org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction] - <The current client is not a SAML2 client or it cannot be found at all, no logout action will be executed.>


Right now, the system is able to logout out of all the SP modules, but not logged out from the SAML IDP.
 
The reason that no SAML2 client is found during logout, is because no userProfile is saved in the session.  
It seems the userProfile is saved via org.pac4j.core.engine.DefaultCallbackLogic#saveUserProfile.  

We didn't use the callBackFilter in our delegate authentication flow, as we couldn't get it work together with the other CAS filters. We just used the CasAuthenticationEntryPoint and CasAuthenticationFilter.

Does this mean we must use the pac4j callBackFilter to get the SAML2ClientLogoutAction to perform correctly? 

Thanks
Paul L

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aa01f261-99a6-4837-9c1d-7ffab62987b9%40apereo.org.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages