Update on the SLO issue we are having. The SLO is working correctly if we don't delegate to SAML authentication.
If user is signed in from an *external IDP via SAML authentication *(we are using okta apps at the moment), the the logout action (/logout, or logout/cas/) invalidate the sessions, but *does not logout the user from the IDP. (SLO flag on the IDP is enabled)* User just need to click a button on the CAS default login page (loginform.html) again, and automatically redirected into the app. We traced our code, and and on logout, we saw in * org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction.java* following code is executed: @Override protected Event doExecute(final RequestContext requestContext) { try { final HttpServletRequest request = WebUtils. getHttpServletRequestFromExternalWebflowContext(requestContext); final HttpServletResponse response = WebUtils. getHttpServletResponseFromExternalWebflowContext(requestContext); final J2EContext context = Pac4jUtils.getPac4jJ2EContext(request , response); Client<?, ?> client; try { final String currentClientName = findCurrentClientName( context); //<-----------this is returning null, but we are overwriting this value in debug mode at the moment. likely something missed in the sso authentication flow. client = (currentClientName == null) ? null : clients. findClient(currentClientName); //<-----------client is retrieved correctly } catch(final TechnicalException e) { // this exception indicates that the SAML2Client is not in the list LOGGER.debug("No SAML2 client found"); client = null; } // Call logout on SAML2 clients only if (client instanceof SAML2Client) { final SAML2Client saml2Client = (SAML2Client) client; LOGGER.debug("Located SAML2 client [{}]", saml2Client); final RedirectAction action = saml2Client.getLogoutAction( context, null, null); //<-----------we see the correct slo url is generated here in the format https://<okta samlapp url>/slo/saml?SAMLRequest=.... LOGGER.debug("Preparing logout message to send is [{}]", action.getLocation()); action.perform(context); //<-----------this is executed without exception } else { LOGGER.debug("The current client is not a SAML2 client or it cannot be found at all, no logout action will be executed."); } } catch (final Exception e) { LOGGER.warn(e.getMessage(), e); } return null; } but after this code is finished, we accessed the okta IDP and user is still *signed in*...even though on the CAS side, user is directed to the CAS login page. We did come across couple of other posts in our investigations, seems to be suggesting that SLO for SAML is not fully implemented yet.. e.g. https://groups.google.com/forum/#!searchin/pac4j-users/saml$20slo$20not$20working%7Csort:date/pac4j-users/60-ndNhwsyI/N7au6ticBQAJ Could someone confirm if SLO with SAML is working with CAS 5.2.3 or is there something we are missing... Thank you very much in advance! Paul Li -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/98d13813-cb56-4b35-842f-cddf736f42dd%40apereo.org.