SAML SLO with HTTP-POST binding results in combined response with CAS logout page
65 views
Skip to first unread message
Milan Siebenbürger
Feb 15, 2025, 8:16:55 PM2/15/25
to CAS Community
Hello,
We are experiencing an unusual issue. It might be due to a misconfiguration or a bug.
When performing SAML Single Logout (SLO) using HTTP-POST binding, the response contains both the SAML logout auto-submit form and also the CAS logout page, which cause issues with auto-submit behavior.
Environment:
SimpleSAMLphp as an Identity Provider (IdP), CAS 7.1 as a Service Provider (SP)
Current behaviour:
1. CAS correctly generates SAML LogoutRequest (through pac4j-saml library)
2. Creates an HTML form with auto-submit functionality (through pac4j-saml library)
3. Sets correct RelayState for return (through pac4j-saml library)
4. However, the response also includes the CAS logout page, resulting in a combined response (standard spring webflow)
Additional Observations:
- This issue doesn't occur with HTTP-Redirect binding (likely because 302 status prevents rendering).
cas.authn.pac4j.saml[0].logout-request-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST # error occurs
#cas.authn.pac4j.saml[0].logout-request-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect # is OK- The SAML form is generated during SAML actions in terminateSession state
- The CAS logout page is added later in the logout flow
Flow Analysis:
1. terminateSession state executes:
- delegatedAuthenticationClientLogoutAction
- delegatedAuthenticationSaml2ClientFinishLogoutAction
- delegatedSaml2ClientTerminateSessionAction
2. Flow continues to logoutView state which adds the CAS logout page
Any assistance would be greatly appreciated.
Kind regards,
Milan
Example of CAS response:
```
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="https://local.xxx.yyy.cz/simplesaml/module.php/saml/idp/singleLogout" method="post">
<div>
<input type="hidden" name="RelayState" value="https://local.xxx.yyy.cz/cas/login?client_name=SimpleSAML"/>
<input type="hidden" name="SAMLRequest" value="PD...dD4="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html><!DOCTYPE html><html lang="en">
<head>
<meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title>Logout successful - CAS - Central Authentication Service</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<link rel="stylesheet" type="text/css" href="/cas/webjars/normalize.css/8.0.1/normalize-112272e51c80ffe5bd01becd2ce7d656.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/bootstrap/5.3.3/css/bootstrap-grid.min-ea688188986141f98fe7c673dd4c34f1.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/material-components-web/14.0.0/dist/material-components-web.min-9da9033e8d04504fe54b3dbb1298fd78.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/mdi__font/7.4.47/css/materialdesignicons.min-2c83c4bce691e18f82409f87b2bf84e4.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/datatables/2.1.0/css/dataTables.dataTables-dd4fd70bec3081bf43eaf1b44606825c.css" /><link rel="stylesheet" type="text/css" href="/cas/css/cas-c344b14a22795665456bd29c9c4007f6.css" /><link rel="stylesheet" type="text/css" href="/cas/themes/standard/css/cas-custom-91a1a43e65f3bd9385bb00840907affe.css" /><link rel="shortcut icon" href="/cas/favicon-ee8c1233d027f8132e38212a2bda6bb4.ico" /></head>
....
<html>
<head>
<meta charset="utf-8" />
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form action="https://local.xxx.yyy.cz/simplesaml/module.php/saml/idp/singleLogout" method="post">
<div>
<input type="hidden" name="RelayState" value="https://local.xxx.yyy.cz/cas/login?client_name=SimpleSAML"/>
<input type="hidden" name="SAMLRequest" value="PD...dD4="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html><!DOCTYPE html><html lang="en">
<head>
<meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title>Logout successful - CAS - Central Authentication Service</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
<link rel="stylesheet" type="text/css" href="/cas/webjars/normalize.css/8.0.1/normalize-112272e51c80ffe5bd01becd2ce7d656.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/bootstrap/5.3.3/css/bootstrap-grid.min-ea688188986141f98fe7c673dd4c34f1.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/material-components-web/14.0.0/dist/material-components-web.min-9da9033e8d04504fe54b3dbb1298fd78.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/mdi__font/7.4.47/css/materialdesignicons.min-2c83c4bce691e18f82409f87b2bf84e4.css" /><link rel="stylesheet" type="text/css" href="/cas/webjars/datatables/2.1.0/css/dataTables.dataTables-dd4fd70bec3081bf43eaf1b44606825c.css" /><link rel="stylesheet" type="text/css" href="/cas/css/cas-c344b14a22795665456bd29c9c4007f6.css" /><link rel="stylesheet" type="text/css" href="/cas/themes/standard/css/cas-custom-91a1a43e65f3bd9385bb00840907affe.css" /><link rel="shortcut icon" href="/cas/favicon-ee8c1233d027f8132e38212a2bda6bb4.ico" /></head>
....
```
Reply all
Reply to author
Forward
0 new messages