Hello everyone,
we have a problem with using CAS 5.3.12.1 as SAML client for delegated
authentication.
The login process seems to work fine, but an SAML-IDP initiated logout causes
the following exception inside CAS:
2019-10-24 14:10:04,330 INFO
[org.apereo.cas.web.flow.DelegatedClientAuthenticationAction] - <Performing a
200 HTTP action>
org.pac4j.core.exception.HttpAction: Performing a 200 HTTP action
at org.pac4j.core.exception.HttpAction.ok(HttpAction.java:59)
~[pac4j-core-3.6.1.jar:?]
at
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:66)
~[pac4j-saml-3.6.1.jar:?]
at
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor.extract(SAML2CredentialsExtractor.java:26)
~[pac4j-saml-3.6.1.jar:?]
at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:65)
~[pac4j-core-3.6.1.jar:?]
at
org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:140)
~[pac4j-core-3.6.1.jar:?]
at
org.apereo.cas.web.flow.DelegatedClientAuthenticationAction.doExecute(DelegatedClientAuthenticationAction.java:228)
~[cas-server-support-pac4j-webflow-5.3.12.1.jar:5.3.12.1]
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:1.8.0_171]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_171]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_171]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_171]
at
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:215)
~[spring-core-4.3.25.RELEASE.jar:4.3.25.RELEASE]
at
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:470)
~[spring-cloud-context-1.3.0.RELEASE.jar:1.3.0.RELEASE]
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
~[spring-aop-4.3.25.RELEASE.jar:4.3.25.RELEASE]
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
~[spring-aop-4.3.25.RELEASE.jar:4.3.25.RELEASE]
at com.sun.proxy.$Proxy136.execute(Unknown Source) ~[?:?]
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at org.springframework.webflow.engine.State.enter(State.java:194)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at org.springframework.webflow.engine.Flow.start(Flow.java:527)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:368)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
at
org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:223)
~[spring-webflow-2.5.0.RELEASE.jar:2.5.0.RELEASE]
The request which causes this exception is a SAML Post-Binding request
/cas/login?client_name=foo&logoutendpoint=true which contains the
samlp:LogoutRequest in its SAMLRequest form parameter.
We've already figured out that the
org.pac4j.saml.credentials.extractor.SAML2CredentialsExtractor actually
generates a samlp:LogoutResponse which is written to the http response,
but it's not sent back to the browser because of the aforementioned exception.
We've also tried to define our own DelegatedClientAuthenticationAction in order
to override the handleException() Method.
When we catch, and silently ignore, the aforementioned exception there, the
samlp:LogoutResponse is sent back to the browser, but no logout is performed
inside cas,
especially no services are informed about the logout (as described in
https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html)
Our setup is as follows:
1. A Client application which delegates its authentication to CAS using the
cas3 protocol
2. The CAS instance which acts as proxy and delegates the authentication to an
external IDP via SAML Post-Binding
3. An external SAML IDP.
Regarding the Single Logout, we'd expect the following flow:
1. The IDP sends an samlp:LogoutRequest to the CAS via SAML Post-Binding.
2. The CAS destroys the TGT and informs all CAS services via front-channel or
back-channel communication about the logout.
3. The CAS sends a samlp:LogoutResponse back to the IDP via SAML Post-Binding.
Has anyone tried such a setup before or has an idea on how to get it working?
With kind regards
Lars Grefer
Fachinformatiker (Anwendungsentwicklung)
Business Line Public Sector
Phone: +49 231 5599-8294
[email protected]<mailto:[email protected]>
www.materna.de<http://www.materna.de/> |
Newsletter<http://www.materna.de/newsletter> |
Twitter<https://twitter.com/Materna_SE> |
XING<https://www.xing.com/companies/maternainformation%26communicationsse> |
Facebook<https://www.facebook.com/Materna.SE>
_________________________________________________________
Materna Information & Communications SE | Voßkuhle 37 | D-44141 Dortmund |
Germany
Vorstand: Michael Knopp
Aufsichtsratsvorsitzender: Dr. Winfried Materna
Amtsgericht Dortmund HRB 30301
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/a2415572665a49929becde121da90fcb%40materna.de.
