RE: [cas-user] Mod_auth_cas Logout Question

[David Abney]

While looking at the logs for mod_auth_cas, I couldn’t find what was causing 
the logout problems for me.  So, I followed Neil’s approach and created an 
custom logout file and I put the file on our CAS server.  The jsp file  removes 
the mod_auth_cas cookie and redirects the user back to the regular CAS logout 
url.  Setting the Papercut logout URL to this custom file seems to be doing the 
trick.

This is what the jsp file looks like:

<%
    Cookie[] cookies = request.getCookies();

    for (int i = 0; i < cookies.length; i++) {
      if(cookies[i].getName().equals("MOD_AUTH_CAS_S") || 
cookies[i].getName().equals("MOD_AUTH_CAS")) {
          cookies[i].setMaxAge(0);
          cookies[i].setPath("/");
          response.addCookie(cookies[i]);
        }
    }

    response.sendRedirect("my_cas_server_logout_url");
%>

––––––––––––––––––––
David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761

[email_logo]
www.centre.edu<http://www.centre.edu/>

From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of David Abney
Sent: Thursday, August 18, 2016 2:53 PM
To: Travis Schmidt <travis.schm...@gmail.com>; cas-user@apereo.org
Subject: RE: [cas-user] Mod_auth_cas Logout Question

Travis,

I will look at the debugging logs and see if I can find out more about the 
logout problem.

Thanks,

––––––––––––––––––––
David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761

[email_logo]
www.centre.edu<http://www.centre.edu/>

From: Travis Schmidt [mailto:travis.schm...@gmail.com]
Sent: Thursday, August 18, 2016 2:48 PM
To: David Abney <david.ab...@centre.edu<mailto:david.ab...@centre.edu>>; 
cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: Re: [cas-user] Mod_auth_cas Logout Question

I think what is happening is that CAS uses the proxy host to create the logout 
url.  You can put logs in debug mode and then see the actual url that is trying 
to call to logout.  CAS also needs the cert for the host it will call in its 
truststore to be able to make the call for logout.  My guess is that either the 
proxy is not set up to forward the logout end point to the apache server, or 
CAS cannot establish trust with the proxy.
On Thu, Aug 18, 2016 at 9:17 AM David Abney 
<david.ab...@centre.edu<mailto:david.ab...@centre.edu>> wrote:
Travis,

Below are the settings I used to try to get the mod_auth_cas logout to work, 
but I was still unsuccessful.  I guess it may have something to do with the 
fact that I am using a proxy server.

Since I am using Ubuntu, my mod_auth_cas settings are in 
/etc/apache2/mods-enabled/auth_cas.conf and they look like this:
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL [my cas server login url]
CASValidateURL [my cas server validate url]
CASDebug On
CASVersion 2
#Only if using SAML
#CASValidateSAML Off
#CASAttributeDelimiter ;
CASSSOEnabled On
CASCertificatePath /etc/ssl/certs

<Location />
AuthType CAS
CASAuthNHeader [my HTTP Header value]
require valid-user
CASScope /
</Location>

For my proxy server I have the logout type set to BACK_CHANNEL and my 
registered service looks like this:
{
  "@class" : "org.jasig.cas.services.RegexRegisteredService",
  "serviceId" : "[my proxy server url]",
  "name" : "CAS-PROXY",
  "id" : 8,
  "description" : "Allows connections from CAS Proxy",
  "proxyPolicy" : {
    "@class" : "org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy"
  },
  "evaluationOrder" : 8,
  "usernameAttributeProvider" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider"
  },
  "logoutType" : "BACK_CHANNEL",
  "attributeReleasePolicy" : {
    "@class" : "org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy",
    "principalAttributesRepository" : {
      "@class" : 
"org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository"
    },
    "authorizedToReleaseCredentialPassword" : false,
    "authorizedToReleaseProxyGrantingTicket" : false
  },
  "accessStrategy" : {
    "@class" : "org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy",
    "enabled" : true,
    "ssoEnabled" : true
  }
}

Thanks,

––––––––––––––––––––
David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761


www.centre.edu<http://www.centre.edu/>

From: Travis Schmidt 
[mailto:travis.schm...@gmail.com<mailto:travis.schm...@gmail.com>]
Sent: Thursday, August 18, 2016 11:18 AM

To: David Abney <david.ab...@centre.edu<mailto:david.ab...@centre.edu>>; 
cas-user@apereo.org<mailto:cas-user@apereo.org>
Subject: Re: [cas-user] Mod_auth_cas Logout Question

Make sure "CASSSOEnabled On" is set in httpd.conf.  If you are using a Service 
Registry in CAS, make sure the Logout Channel is enabled and set to 
BACK_CHANNEL.  This is working for me, but I don't have a proxy in the middle 
either.


On Thu, Aug 18, 2016 at 7:20 AM David Abney 
<david.ab...@centre.edu<mailto:david.ab...@centre.edu>> wrote:
I am using mod_auth_cas v1.1 with a proxy server to login to our PaperCut 
system using CAS v4.2.  We can set a logout URL in PaperCut, which is set to 
the CAS server logout URL.  So, when I logout of PaperCut, it appears I am 
logged out of PaperCut and CAS, but if I go back to the proxy server then 
mod_auth_cas still logs me back into PaperCut without redirecting me to CAS to 
login again.

Is there a way to logout of my session with mod_auth_cas or clear my 
mod_auth_cas cookie?

Thanks,

––––––––––––––––––––
David Abney
ITS Web Developer/Programmer

600 West Walnut Street
Danville, Kentucky 40422
859.238.5761


www.centre.edu<http://www.centre.edu/>

--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to 
cas-user@apereo.org<mailto:cas-user@apereo.org>.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d6df68f9efe48e2891c540e083a406b%40Exchange-MB2.centre.edu?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
--
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To post to this group, send email to 
cas-user@apereo.org<mailto:cas-user@apereo.org>.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/913462053b914216ab003ba771d6d07f%40Exchange-MB2.centre.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/913462053b914216ab003ba771d6d07f%40Exchange-MB2.centre.edu?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/198560d26b124617b6b61fe15f87cd98%40Exchange-MB2.centre.edu.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.