Try (Cas-server)/cas/logout
https://apereo.github.io/cas/5.2.x/installation/Logout-Single-Signout.html El domingo, 1 de abril de 2018, paul li <[email protected]> escribió: > Hi > > > > My team is working with CAS (5.2.3) and delegated SAML authentication via > pac4j libraries. What we have so far: > > 1. 3 separate services, each is configured through spring to > authenticate with CAS. > > 2. CAS is configured to delegate authentication to SAML IDP via > *cas.properties* config > > 3. We extended the ClientAuthenticationHandler with small changes > and registered it through a @Configuration class. > > > > With this basic setup, we are able to get the SSO to work correctly across > the services, against okta sample IDP, with a flow similar to this: > > *SP -> CAS -> Delegate Authentication -> Redirect to IDP -> Input > credentials -> IDP returns SAML response -> CasAuthenticationFilter > finishes the authentication and ST issuing -> System redirects the original > ‘service’ url.* > > > > However, we are trying to get *single logout (SLO)* to work with the > existing framework, we got no luck. > > It appears the system only logging out the local service, but not other > services. > > > > *What we have at the moment:* > > For each of the service module, we have the following configured: > > 1. LogoutFilter via spring bean > > 2. SingleSignOutFilter via web.xml or spring bean > > 3. SingleSignOutHttpSessionListener in web.xml > > > Also we have ServiceRegistry json with logoutType: BACK_CHANNEL > > > spring config > > <http use-expressions=*"true"* entry-point-ref= > *"casAuthenticationEntryPoint"*> > > <intercept-url pattern=*"/resources/**"* access= > *"permitAll"* /> > > <intercept-url pattern=*"/manifest"* access=*"permitAll"* > method=*"GET"* /> > > <intercept-url pattern=*"/**"* access=*"isAuthenticated()"* > /> > > <!-- enable *csrf* protection --> > > <csrf disabled=*"true"* /> > > <custom-filter ref=*"requestSingleLogoutFilter"* before= > *"LOGOUT_FILTER"* /> > > <custom-filter ref=*"singleLogoutFilter"* before= > *"CAS_FILTER"* /> > > <custom-filter ref=*"casAuthenticationFilter"* after= > *"CAS_FILTER"* /> > > </http> > > > > <bean id=*"singleLogoutFilter"* class= > *"org.jasig.cas.client.session.SingleSignOutFilter"* > > p:ignoreInitConfiguration=*"true"* ß-----not sure if we need > this > > p:casServerUrlPrefix=*"${cas.server.app}/"* /> > > > > <bean id=*"requestSingleLogoutFilter"* class= > *"org.springframework.security.web.authentication.logout.LogoutFilter"* > > p:filterProcessesUrl=*"/logout/cas/"* > > > <constructor-arg value= > *"${cas.server.app}/logout?service=${calendar.client.app}/"* /> > > <constructor-arg> > > <bean class= > *"org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"* > ></bean> > > </constructor-arg> > > </bean> > > > In web.xml of each module, we have: > > <listener> > > <listener-class>org.jasig.cas.client.session.SingleSignOutHt > tpSessionListener</listener-class> > </listener> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</ > filter-class> > > </filter> > > <filter-mapping> > > <filter-name>CAS Single Sign Out Filter</filter-name> > > <url-pattern>/*</url-pattern> > > </filter-mapping> > > > *service registry:* > > { > > "@class": *"org.apereo.cas.services.RegexRegisteredService"*, > > "serviceId": *"^(http|https|imaps)://.*"*, > > "name": *"HTTPS and IMAPS"*, > > "id": 10000001, > > "description": *"This service definition authorizes all application > urls that support HTTPS and IMAPS protocols."*, > > "evaluationOrder": 1, > > "logoutType" : *"BACK_CHANNEL"*, > > …. > > > > *Problem:* > > When we issue a logout via: https://localhost:8443/pl > atformadmin/logout/cas/ , we see the *LogoutFilter* is triggered and in > *doFilter() *session is invalidated. > > *SingleSignOutHttpSessionListen**er#sessionDestroy() *is immediately > triggered after. > > > Then *SingleLogoutFilter* is triggered, in which *SingleSignoutHandler#* > *process*(..) method, BACK_CHANNEL logout is triggered. > > In the console log however, I only see the ST of the current service > (platformadmin) is destroyed. > > > If we access any modules *other than* *platformadmin*, we are directed to > the app automatically. > > It seems we are only logged out of the current service modules (local > logout), but didn’t logout from the other service modules. > > > What configuration are we missing? I see posts in this group where they > have SLO working, > > We'd much appreciate if someone could provide a summary of their > configuration. > > > Please let us know if you have any advices > > > Thanks! > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/43525944-da4f-4891-ae95- > 3f81eb7f07c0%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/43525944-da4f-4891-ae95-3f81eb7f07c0%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5micYSds2Kdq_79txtnnWFMKMK8Rx3bc_QKqYu%2BjR0B3LBw%40mail.gmail.com.
