Ray, Let me explain you my architecture. I have a CAS client (mod_auth_cas) which redirects to NGINX Load Balancer. The nginx forwards to one of the active CAS Server. Do I need to install certificates on all CAS Server?
User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for internal communication from Nginx to CAS server. i.e Plain http comminication is happenning from nginx to cas server. Can you pls guide me how can I achieve logout for my approach. On Thu, May 17, 2018 at 9:49 PM, Ray Bon <[email protected]> wrote: > Ramakrishna, > > Add this to the log config: > > <AsyncLogger name="org.apereo.cas.util.http" level="debug" /> > > The above may produce a lot of messages. > It looks to be a problem with CAS contacting your client. It could be a > certificate issue. > I guess you created a certificate since it is on a 192 ip. Did you add the > certificate to the java key store? If CAS and your client are on different > machines, then the certificate will need to be added to both. > > Ray > > On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote: > > Hi Ray, > > As said by you, I enabled logs and this is the output > > 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] > - <Performing logout operations for [TGT-2-*********************** > **********************************eGcHG1JqHs-client]> > 2018-05-17 11:50:46,501 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Processing logout request > for service [org.apereo.cas.authentication.principal. > SimpleWebApplicationServiceImpl@432f5faa[id=https://192.168. > 111.12:8443/,originalUrl=https://192.168.111.12:8443/,*artifactId=<null>* > ,principal=casuser,loggedOutAlready=false,format=XML]]...> > 2018-05-17 11:50:46,503 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Service [org.apereo.cas. > authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/, > artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]] > supports single logout and is found in the registry as > [id=10000001,name=HTTPS and IMAPS,description=This service definition > authorizes all application urls that support HTTPS and IMAPS > protocols.,serviceId=^(https|imaps)://.*,usernameAttributeProvider=org. > apereo.cas.services.DefaultRegisteredServiceUsernameProvider@d > ,theme=<null>,evaluationOrder=10000,logoutType=BACK_CHANNEL, > attributeReleasePolicy=org.apereo.cas.services. > ReturnAllowedAttributeReleasePolicy@15646ed9[attributeFilter=<null>, > principalAttributesRepository=org.apereo.cas.authentication.principal. > DefaultPrincipalAttributesRepository@7923006f[], > authorizedToReleaseCredentialPassword=false,authorizedToReleaseAuthenticat > ionAttributes=true,authorizedToReleaseProxyGrantingTicket=false, > excludeDefaultAttributes=false,principalIdAttribute=< > null>,consentPolicy=org.apereo.cas.services.consent. > DefaultRegisteredServiceConsentPolicy@330ae512[excludedAttributes=<null>, > includeOnlyAttributes=<null>,enabled=true],allowedAttributes=[]], > accessStrategy=org.apereo.cas.services.DefaultRegisteredServiceAccess > Strategy@5bc47191[enabled=true,ssoEnabled=true,requireAllAttributes=true, > requiredAttributes={},unauthorizedRedirectUrl=<null> > ,caseInsensitive=false,rejectedAttributes={}], > publicKey=<null>,proxyPolicy=org.apereo.cas.services. > RefuseRegisteredServiceProxyPolicy@2cd156ce,logo=<null>,logoutUrl=<null>, > requiredHandlers=[],properties={},multifactorPolicy=org.apereo. > cas.services.DefaultRegisteredServiceMultifactorPolicy@6dc092b8[ > multifactorAuthenticationProviders=[],failureMode=NOT_SET, > principalAttributeNameTrigger=<null>,principalAttributeValueToMatch > =<null>,bypassEnabled=false],informationUrl=<null>, > privacyUrl=<null>,contacts=[],expirationPolicy=org.apereo.cas.services. > DefaultRegisteredServiceExpirationPolicy@687fb318[deleteWhenExpired=false, > notifyWhenDeleted=false,expirationDate=<null>],<null>]. Proceeding...> > 2018-05-17 11:50:46,514 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [ > https://192.168.111.12:8443/] for service [org.apereo.cas. > authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/, > artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]]> > 2018-05-17 11:50:46,515 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImp > l@432f5faa[id=https://192.168.111.12:8443/,originalUrl= > https://192.168.111.12:8443/,artifactId=<null>,principal= > casuser,loggedOutAlready=false,format=XML]] and ticket id [ST-3-Ca79ror- > smWCKyQzaBNn0ZYt6l0-client]> > 2018-05-17 11:50:46,517 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Logout request > [org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ > ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo.cas. > authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/, > artifactId=<null>,principal=casuser,loggedOutAlready= > false,format=XML],status=NOT_ATTEMPTED]] created for [org.apereo.cas. > authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/, > artifactId=<null>,principal=casuser,loggedOutAlready=false,format=XML]] > and ticket id [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]> > 2018-05-17 11:50:46,518 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for > [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImp > l@432f5faa[id=https://192.168.111.12:8443/,originalUrl= > https://192.168.111.12:8443/,artifactId=<null>,principal= > casuser,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]> > 2018-05-17 11:50:46,519 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout > request based on [org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ > ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo.cas. > authentication.principal.SimpleWebApplicationServiceImpl@432f5faa[id= > https://192.168.111.12:8443/,originalUrl=https://192.168.111.12:8443/, > artifactId=<null>,principal=casuser,loggedOutAlready= > false,format=XML],status=NOT_ATTEMPTED]]> > 2018-05-17 11:50:46,522 DEBUG [org.apereo.cas.logout. > SamlCompliantLogoutMessageCreator] - <Generated logout message: > [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0" > IssueInstant="2018-05-17T11:50:46Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ > </saml:NameID><samlp:SessionIndex>ST-3-Ca79ror- > smWCKyQzaBNn0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>]> > 2018-05-17 11:50:46,522 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for > [https://192.168.111.12:8443/] to [https://192.168.111.12:8443/]> > 2018-05-17 11:50:46,547 DEBUG [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to > send is [org.apereo.cas.logout.LogoutHttpMessage@e0bb76[url=h > ttps://192.168.111.12:8443/,message=<samlp:LogoutRequest > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" > ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" > Version="2.0" IssueInstant="2018-05-17T11:50:46Z"><saml:NameID > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ > </saml:NameID><samlp:SessionIndex>ST-3-Ca79ror- > smWCKyQzaBNn0ZYt6l0-client</samlp:SessionIndex></samlp: > LogoutRequest>,asynchronous=false,contentType=application/ > x-www-form-urlencoded,responseCode=0]]. Sending...> > 2018-05-17 11:50:46,659 WARN [org.apereo.cas.logout. > DefaultSingleLogoutServiceMessageHandler] -* <Logout message is not sent > to [https://192.168.111.12:8443/ <https://192.168.111.12:8443/>]; > Continuing processing...>* > 2018-05-17 11:50:46,661 INFO [org.apereo.cas.logout.DefaultLogoutManager] > - <[1] logout requests were processed> > 2018-05-17 11:50:46,668 INFO > [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] > - <Audit trail record BEGIN > ============================================================= > WHO: casuser > WHAT: TGT-2-****************************************************** > ***eGcHG1JqHs-client > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Thu May 17 11:50:46 IST 2018 > CLIENT IP ADDRESS: 192.168.111.12 > SERVER IP ADDRESS: 192.168.111.12 > ============================================================= > > > > On Tue, May 15, 2018 at 11:59 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > If the TGT is destroyed, then that SSO session is also destroyed even if > the TGC is not (why TGC is not removed is odd). > If you are still logged in to the client application, your client may not > be part of single log out (SLO). It is up to the client to manage its own > session. > When you say 'valid ticket', do you mean a new service ticket? > > You can try these log4j2 options to see what is happening during the > logout process: > > > <!-- DEBUG service status and logout process and a lot of details > --> > <AsyncLogger name="org.apereo.cas.logout" level="info" /> > <!-- INFO Performing logout operations for [TGT-...] > [number] logout requests were processed > DEBUG ST, principal and URL --> > <AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager" > level="info"> > <Filters> > <ThresholdFilter level="INFO" onMatch="ACCEPT" > onMismatch="NEUTRAL" /> > <RegexFilter regex="Captured logout request.*" > onMismatch="DENY" /> > </Filters> > </AsyncLogger> > <!-- DEBUG Logout request will be sent to but does not print > anything when login was through SAML 1.1 --> > <AsyncLogger name="org.apereo.cas.logout.De > faultSingleLogoutServiceLogoutUrlBuilder" level="warn" /> > <!-- DEBUG preparing, processing and logout with URL and ST --> > <AsyncLogger name="org.apereo.cas.logout.De > faultSingleLogoutServiceMessageHandler" level="debug" /> > <!-- DEBUG SAML logout payload --> > <AsyncLogger name="org.apereo.cas.logout.Sa > mlCompliantLogoutMessageCreator" level="debug" /> > > Ray > > On Tue, 2018-05-15 at 15:58 +0530, Ramakrishna G wrote: > > On Clicking logout which calls the cas/logout link : > > WHO: casuser > WHAT: TGT-1-****************************************************** > ***CPmWzMzi-I-client > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Tue May 15 15:45:17 IST 2018 > CLIENT IP ADDRESS: 192.168.111.12 > SERVER IP ADDRESS: 192.168.111.12 > ============================================================= > > > > But i can see that in the browser , the TGC cookie still resides , which > forces me to delete the cookies or close the browser for a fresh login. Is > there any way to avoid this? > > On Sat, May 12, 2018 at 1:45 PM, Ramakrishna G <[email protected]> wrote: > > Yes it is redirected to logout page, yet cookies is not removed. When I > refresh it redirects to application with valid ticket instead of > redirecting to login page. > > > On Fri, May 11, 2018 at 8:39 PM, Ray Bon <[email protected]> wrote: > > Ramakrishna, > > If the browser is redirected to /cas/logout, the cookies will/should be > removed. > > Ray > > On Fri, 2018-05-11 at 19:30 +0530, Ramakrishna G wrote: > > Hello Team, > > On logout CAS cookies are not removed from browser. I need to forcefully > clear. What might be the reason? > > Thanks > Ramakrishna G > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ap > ereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P-m4DXy2rtv%2BxrFbAUrS1GMb%2BKymwi861rPU9W1Lu5uYA%40mail.gmail.com.
