Hi all
I have an issue with the Single Log Out feature.
The scenario is the following: the user logs in CAS using an assertion from
an external IdP. Then the user calls the logout endpoint fo CAS, to request
the destruction of all his applicative sessions. I have configured my
services to receive the logout requests from CAS using the back channel,
and this works correctly. However, CAS is not propagating the logout back
to the SAML IdP.
Debugging the code I have found what causes the issue.
In the *finishLogout* step of the logout webflow, the class
DelegatedAuthenticationSAML2ClientLogoutAction searches for the name of the
client by looking at attribute *"pac4jUserProfiles"* in either the request
or the session. However, as soon as the logout flow starts, the action
*terminateSession* removes that attribute from both the request and the
session.
These are the relevant pieces of code
In step terminateSession
package org.apereo.cas.web.flow.logout;
public class TerminateSessionAction extends AbstractAction {
public Event terminate(final RequestContext context) {
...
destroyApplicationSession(request, response);
...
}
protected void destroyApplicationSession(final HttpServletRequest
request, final HttpServletResponse response) {
...
final ProfileManager manager =
Pac4jUtils.getPac4jProfileManager(request, response);
// This kills all delegated authn profiles via pac4j.
manager.logout();
...
}
}
Later, in step finishLogout
package org.apereo.cas.web.flow;
public class DelegatedAuthenticationSAML2ClientLogoutAction extends
AbstractAction {
@Override
protected Event doExecute(final RequestContext requestContext) {
...
final String currentClientName = findCurrentClientName(context);
...
}
private String findCurrentClientName(final WebContext webContext) {
final ProfileManager<? extends CommonProfile> pm = Pac4jUtils.
getPac4jProfileManager(webContext);
// This searches for the authn profiles in the request or the
session
final Optional<? extends CommonProfile> profile = pm.get(true);
return profile.map(CommonProfile::getClientName).orElse(null);
}
}
I could help in refining the analysis, but honestly the fix is beyond my
knowledge of cas. Should I open a pull request?
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/cb98d513-0791-4c4f-8e33-cb456e37a0da%40apereo.org.
