Hi
My team is working with CAS (5.2.3) and delegated SAML authentication via
pac4j libraries. What we have so far:
1. 3 separate services, each is configured through spring to
authenticate with CAS.
2. CAS is configured to delegate authentication to SAML IDP via
*cas.properties* config
3. We extended the ClientAuthenticationHandler with small changes and
registered it through a @Configuration class.
With this basic setup, we are able to get the SSO to work correctly across
the services, against okta sample IDP, with a flow similar to this:
*SP -> CAS -> Delegate Authentication -> Redirect to IDP -> Input
credentials -> IDP returns SAML response -> CasAuthenticationFilter
finishes the authentication and ST issuing -> System redirects the original
‘service’ url.*
However, we are trying to get *single logout (SLO)* to work with the
existing framework, we got no luck.
It appears the system only logging out the local service, but not other
services.
*What we have at the moment:*
For each of the service module, we have the following configured:
1. LogoutFilter via spring bean
2. SingleSignOutFilter via web.xml or spring bean
3. SingleSignOutHttpSessionListener in web.xml
Also we have ServiceRegistry json with logoutType: BACK_CHANNEL
spring config
<http use-expressions=*"true"* entry-point-ref=
*"casAuthenticationEntryPoint"*>
<intercept-url pattern=*"/resources/**"* access=*"permitAll"*
/>
<intercept-url pattern=*"/manifest"* access=*"permitAll"*
method=*"GET"* />
<intercept-url pattern=*"/**"* access=*"isAuthenticated()"* />
<!-- enable *csrf* protection -->
<csrf disabled=*"true"* />
<custom-filter ref=*"requestSingleLogoutFilter"* before=
*"LOGOUT_FILTER"* />
<custom-filter ref=*"singleLogoutFilter"* before=*"CAS_FILTER"*
/>
<custom-filter ref=*"casAuthenticationFilter"* after=
*"CAS_FILTER"* />
</http>
<bean id=*"singleLogoutFilter"* class=
*"org.jasig.cas.client.session.SingleSignOutFilter"*
p:ignoreInitConfiguration=*"true"* ß-----not sure if we need
this
p:casServerUrlPrefix=*"${cas.server.app}/"* />
<bean id=*"requestSingleLogoutFilter"* class=
*"org.springframework.security.web.authentication.logout.LogoutFilter"*
p:filterProcessesUrl=*"/logout/cas/"* >
<constructor-arg value=
*"${cas.server.app}/logout?service=${calendar.client.app}/"* />
<constructor-arg>
<bean class=
*"org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"*
></bean>
</constructor-arg>
</bean>
In web.xml of each module, we have:
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener</
listener-class>
</listener>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</
filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
*service registry:*
{
"@class": *"org.apereo.cas.services.RegexRegisteredService"*,
"serviceId": *"^(http|https|imaps)://.*"*,
"name": *"HTTPS and IMAPS"*,
"id": 10000001,
"description": *"This service definition authorizes all application urls
that support HTTPS and IMAPS protocols."*,
"evaluationOrder": 1,
"logoutType" : *"BACK_CHANNEL"*,
….
*Problem:*
When we issue a logout via: https://localhost:8443/platformadmin/logout/cas/ ,
we see the *LogoutFilter* is triggered and in *doFilter() *session is
invalidated.
*SingleSignOutHttpSessionListen**er#sessionDestroy() *is immediately
triggered after.
Then *SingleLogoutFilter* is triggered, in which *SingleSignoutHandler#*
*process*(..) method, BACK_CHANNEL logout is triggered.
In the console log however, I only see the ST of the current service
(platformadmin) is destroyed.
If we access any modules *other than* *platformadmin*, we are directed to
the app automatically.
It seems we are only logged out of the current service modules (local
logout), but didn’t logout from the other service modules.
What configuration are we missing? I see posts in this group where they
have SLO working,
We'd much appreciate if someone could provide a summary of their
configuration.
Please let us know if you have any advices
Thanks!
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/43525944-da4f-4891-ae95-3f81eb7f07c0%40apereo.org.
