Logout using delegated authentication with SAML2 IDP
116 views
Skip to first unread message
Migue Jaramago
Apr 21, 2022, 5:32:53 AM4/21/22
to CAS Community
Hello,
I'm using CAS 6.4.6
I have the structure: [application] -> [cas6] -> [SAML2 Idp].
The CAS6 server is configured to delegate authentication, using pac4j libraries, and it's working fine.
The problem that I'm trying to solve is when the user asks for logout. I need that the user ends its session on Application, CAS6 and SAML2-Idp.
The following steps shows the problem:
1 - User is logged in application, CAS6 and SAML2-Idp.
2 - User logout the application, and the application redirects the user to CAS6 logout
3 - CAS6 logouts the user.
4 - The user not close the browser and try access again to Application, then Application redirects to CAS6 to login again
5 - CAS6 redirects the user to SAML2-Idp
6 - SAML2-Idp still has a valid SSO session to user, that is, redirect to CAS6 authenticated
7 - CAS6 creates the tickets and redirects to Application
8 - User is logged in
How can I configure CAS6, when the user is logging out, to tell SAML2-Idp to end its session or redirects to SAML2-Idp to logout, and get back to the login screen?
I'm using CAS 6.4.6
I have the structure: [application] -> [cas6] -> [SAML2 Idp].
The CAS6 server is configured to delegate authentication, using pac4j libraries, and it's working fine.
The problem that I'm trying to solve is when the user asks for logout. I need that the user ends its session on Application, CAS6 and SAML2-Idp.
The following steps shows the problem:
1 - User is logged in application, CAS6 and SAML2-Idp.
2 - User logout the application, and the application redirects the user to CAS6 logout
3 - CAS6 logouts the user.
4 - The user not close the browser and try access again to Application, then Application redirects to CAS6 to login again
5 - CAS6 redirects the user to SAML2-Idp
6 - SAML2-Idp still has a valid SSO session to user, that is, redirect to CAS6 authenticated
7 - CAS6 creates the tickets and redirects to Application
8 - User is logged in
How can I configure CAS6, when the user is logging out, to tell SAML2-Idp to end its session or redirects to SAML2-Idp to logout, and get back to the login screen?
Migue Jaramago
Apr 22, 2022, 11:22:49 AM4/22/22
to CAS Community, Migue Jaramago
I add more information to the previous question.
Between Application and Cas6, I use Cas 3.0 Protocol.
Between Cas6 and SAML2-Idp, I use saml2 with pac4j libraries (added as dependency in the Cas build).
When the user logout application, redirects to CAS6 to logout by 'https://<server Cas>/cas/logout'.
CAS6 make a logout, but does not send any SAML2 message to SAML2-Idp. Don't send a 'LogoutRequest' to SAML2-Idp !!!!
Any suggestion??
Between Application and Cas6, I use Cas 3.0 Protocol.
Between Cas6 and SAML2-Idp, I use saml2 with pac4j libraries (added as dependency in the Cas build).
When the user logout application, redirects to CAS6 to logout by 'https://<server Cas>/cas/logout'.
CAS6 make a logout, but does not send any SAML2 message to SAML2-Idp. Don't send a 'LogoutRequest' to SAML2-Idp !!!!
Any suggestion??
Matt Cesari
Apr 22, 2022, 11:22:49 AM4/22/22
to cas-...@apereo.org
I think cas.logout.redirect-url would do what you need.
Set it to your SAML2 IDP logout url
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31aad474-5ebb-4147-9c39-b331e4173404n%40apereo.org.
Migue Jaramago
Apr 25, 2022, 8:38:45 AM4/25/22
to CAS Community, ces...@tcnj.edu
Hi, thanks Matt for you response.
I tried it, but don`t work.
I tried it, but don`t work.
The metadata of the external SAML2-Idp only has a SingleLogoutService and its binding is 'HTTP-Redirect':
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xxxxxxxxx/SLOservice.php" />
But I get an exception that the identity provider does not have an 'HTTP-Post' binding for the selected profile.
2022-04-25 13:51:14,023 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Attempting to filter candidate EntityDescriptors via resolved Predicates>
2022-04-25 13:51:14,024 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: After predicate filtering 1 EntityDescriptors remain>
2022-04-25 13:51:14,031 DEBUG [org.pac4j.saml.logout.SAML2LogoutActionBuilder] - <Identity provider has no single logout service available for the selected profile urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST>
org.pac4j.saml.exceptions.SAMLException: Identity provider has no single logout service available for the selected profile urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
at org.pac4j.saml.context.SAML2MessageContext.getIDPSingleLogoutService(SAML2MessageContext.java:135) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.saml.logout.impl.SAML2LogoutRequestBuilder.build(SAML2LogoutRequestBuilder.java:45) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.saml.logout.SAML2LogoutActionBuilder.getLogoutAction(SAML2LogoutActionBuilder.java:62) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.core.client.IndirectClient.getLogoutAction(IndirectClient.java:160) ~[pac4j-core-5.3.1.jar!/:?]
at org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction.doExecute(DelegatedAuthenticationClientLogoutAction.java:80) ~[cas-server-support-pac4j-webflow-6.4.6.jar!/:6.4.6]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.3.9.jar!/:5.3.9]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485) ~[spring-cloud-context-3.0.3.jar!/:3.0.3]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.9.jar!/:5.3.9]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215) ~[spring-aop-5.3.9.jar!/:5.3.9]
at com.sun.proxy.$Proxy258.execute(Unknown Source) ~[?:?]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:193) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.start(Flow.java:527) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:139) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at jdk.internal.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://xxxxxxxxx/SLOservice.php" />
But I get an exception that the identity provider does not have an 'HTTP-Post' binding for the selected profile.
2022-04-25 13:51:14,023 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: Attempting to filter candidate EntityDescriptors via resolved Predicates>
2022-04-25 13:51:14,024 DEBUG [org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver] - <Metadata Resolver DOMMetadataResolver org.opensaml.saml.metadata.resolver.impl.DOMMetadataResolver: After predicate filtering 1 EntityDescriptors remain>
2022-04-25 13:51:14,031 DEBUG [org.pac4j.saml.logout.SAML2LogoutActionBuilder] - <Identity provider has no single logout service available for the selected profile urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST>
org.pac4j.saml.exceptions.SAMLException: Identity provider has no single logout service available for the selected profile urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
at org.pac4j.saml.context.SAML2MessageContext.getIDPSingleLogoutService(SAML2MessageContext.java:135) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.saml.logout.impl.SAML2LogoutRequestBuilder.build(SAML2LogoutRequestBuilder.java:45) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.saml.logout.SAML2LogoutActionBuilder.getLogoutAction(SAML2LogoutActionBuilder.java:62) ~[pac4j-saml-5.3.1.jar!/:?]
at org.pac4j.core.client.IndirectClient.getLogoutAction(IndirectClient.java:160) ~[pac4j-core-5.3.1.jar!/:?]
at org.apereo.cas.web.flow.DelegatedAuthenticationClientLogoutAction.doExecute(DelegatedAuthenticationClientLogoutAction.java:80) ~[cas-server-support-pac4j-webflow-6.4.6.jar!/:6.4.6]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at jdk.internal.reflect.GeneratedMethodAccessor170.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) ~[spring-core-5.3.9.jar!/:5.3.9]
at org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:485) ~[spring-cloud-context-3.0.3.jar!/:3.0.3]
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) ~[spring-aop-5.3.9.jar!/:5.3.9]
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215) ~[spring-aop-5.3.9.jar!/:5.3.9]
at com.sun.proxy.$Proxy258.execute(Unknown Source) ~[?:?]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.ActionList.execute(ActionList.java:154) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:193) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.Flow.start(Flow.java:527) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:139) ~[spring-webflow-2.5.1.RELEASE.jar!/:2.5.1.RELEASE]
at jdk.internal.reflect.GeneratedMethodAccessor300.invoke(Unknown Source) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
I do not know what I'm doing wrong.
Migue Jaramago
Apr 28, 2022, 4:48:58 AM4/28/22
to CAS Community, Migue Jaramago
How can I force Cas to use HTTP-Redirect binding for logout requests from SAML-IDP?
Reply all
Reply to author
Forward
0 new messages