Ray, I was able to solve the ssl issue using open_sll. Now I am using https at both end with valid certificate.
But my original problem of cas not logging out still persist. On Sat, May 19, 2018 at 4:51 PM, Ramakrishna G <[email protected]> wrote: > Ray, > > I configured ssl as advised by you. Now I have a different issue. > > When I use CASValidateURL with https url I get this Unauthorized error. If > i remove https it works but logout issue still persist Unauthorized > > This server could not verify that you are authorized to access the > document requested. Either you supplied the wrong credentials (e.g., bad > password), or your browser doesn't understand how to supply the credentials > required. > > > I am sharing my config > > CASCookiePath /var/cache/mod_auth_cas/ > > CASCertificatePath /etc/httpd/conf/casdev.crt > > CASLoginURL https://192.168.111.12:8443/cas/login > > CASRootProxiedAs https://192.168.111.12:8443 > > CASValidateURL https://192.168.111.12:8443/cas/serviceValidate > > #CASValidateURL http://192.168.111.12:8888/cas/serviceValidate // *Tomcat > http port 8888* > > CASValidateSAML Off > > CASSSOEnabled On > <VirtualHost _default_:8443> > SSLProxyEngine on > SSLProxyVerify none > SSLProxyCheckPeerCN off > SSLProxyCheckPeerName off > SSLProxyCheckPeerExpire off > Loglevel debug > <Location /> > AllowOverride > AuthType CAS > require valid-user > CASRenew On > ProxyPass http://192.168.111.10/ > ProxyPassReverse http://192.168.111.10/ > </Location> > <Location /cas> > Require all granted > ProxyPass https://192.168.111.12:9443/cas *// Tomcat > https port 9443* > ProxyPassReverse https://192.168.111.12:9443/cas > </Location> > > </ VirtualHost> > > > On Fri, May 18, 2018 at 8:50 PM, Ray Bon <[email protected]> wrote: > >> Ramakrishna, >> >> During log out when CAS contacts your service (where mod_auth_cas is), it >> does so with https. You need to install the custom certificate that is on >> your service into the jvm running CAS. >> >> sudo keytool -import -file ${certName} -alias ${aliasName} -keystore >> $JAVA_HOME/jre/lib/security/cacerts >> >> https://apereo.github.io/cas/developer/Build-Process-5X.html >> #configure-ssl >> >> Ray >> >> On Fri, 2018-05-18 at 11:04 +0530, Ramakrishna G wrote: >> >> Ray, >> >> Let me explain you my architecture. I have a CAS client (mod_auth_cas) >> which redirects to NGINX Load Balancer. The nginx forwards to one of the >> active CAS Server. Do I need to install certificates on all CAS Server? >> >> User request to Mod_auth_cas via HTTPS but I am doing ssl stripping for >> internal communication from Nginx to CAS server. i.e Plain http >> comminication is happenning from nginx to cas server. >> >> >> Can you pls guide me how can I achieve logout for my approach. >> >> On Thu, May 17, 2018 at 9:49 PM, Ray Bon <[email protected]> wrote: >> >> Ramakrishna, >> >> Add this to the log config: >> >> <AsyncLogger name="org.apereo.cas.util.http" level="debug" /> >> >> The above may produce a lot of messages. >> It looks to be a problem with CAS contacting your client. It could be a >> certificate issue. >> I guess you created a certificate since it is on a 192 ip. Did you add >> the certificate to the java key store? If CAS and your client are on >> different machines, then the certificate will need to be added to both. >> >> Ray >> >> On Thu, 2018-05-17 at 12:01 +0530, Ramakrishna G wrote: >> >> Hi Ray, >> >> As said by you, I enabled logs and this is the output >> >> 2018-05-17 11:50:46,479 INFO [org.apereo.cas.logout.DefaultLogoutManager] >> - <Performing logout operations for [TGT-2-*********************** >> **********************************eGcHG1JqHs-client]> >> 2018-05-17 11:50:46,501 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Processing logout request for >> service [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin >> alUrl=https://192.168.111.12:8443/,*artifactId=<null>*, >> principal=casuser,loggedOutAlready=false,format=XML]]...> >> 2018-05-17 11:50:46,503 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Service >> [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin >> alUrl=https://192.168.111.12:8443/,artifactId=<null>, >> principal=casuser,loggedOutAlready=false,format=XML]] supports single >> logout and is found in the registry as [id=10000001,name=HTTPS and >> IMAPS,description=This service definition authorizes all application urls >> that support HTTPS and IMAPS protocols.,serviceId=^(https|i >> maps)://.*,usernameAttributeProvider=org.apereo.cas.services >> .DefaultRegisteredServiceUsernameProvider@d,theme=<null>, >> evaluationOrder=10000,logoutType=BACK_CHANNEL,attributeRelea >> sePolicy=org.apereo.cas.services.ReturnAllowedAttributeRelea >> sePolicy@15646ed9[attributeFilter=<null>,principalAttributes >> Repository=org.apereo.cas.authentication.principal.Defau >> ltPrincipalAttributesRepository@7923006f[],authorizedToRelea >> seCredentialPassword=false,authorizedToReleaseAuthenticat >> ionAttributes=true,authorizedToReleaseProxyGrantingTicket= >> false,excludeDefaultAttributes=false,principalIdAttribute=< >> null>,consentPolicy=org.apereo.cas.services.consent. >> DefaultRegisteredServiceConsentPolicy@330ae512[excludedAttributes=<null>, >> includeOnlyAttributes=<null>,enabled=true],allowedAttribute >> s=[]],accessStrategy=org.apereo.cas.services.DefaultReg >> isteredServiceAccessStrategy@5bc47191[enabled=true,ssoEnabl >> ed=true,requireAllAttributes=true,requiredAttributes={}, >> unauthorizedRedirectUrl=<null>,caseInsensitive=false,rejecte >> dAttributes={}],publicKey=<null>,proxyPolicy=org.apereo. >> cas.services.RefuseRegisteredServiceProxyPolicy@2cd156ce, >> logo=<null>,logoutUrl=<null>,requiredHandlers=[],properties >> ={},multifactorPolicy=org.apereo.cas.services.DefaultReg >> isteredServiceMultifactorPolicy@6dc092b8[multifactorAuthenti >> cationProviders=[],failureMode=NOT_SET,principalAttributeNam >> eTrigger=<null>,principalAttributeValueToMatch=<null>, >> bypassEnabled=false],informationUrl=<null>,privacyUrl=<null> >> ,contacts=[],expirationPolicy=org.apereo.cas.services.Defaul >> tRegisteredServiceExpirationPolicy@687fb318[deleteWhenExpire >> d=false,notifyWhenDeleted=false,expirationDate=<null>],<null>]. >> Proceeding...> >> 2018-05-17 11:50:46,514 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Prepared logout url [ >> https://192.168.111.12:8443/] for service [org.apereo.cas.authentication >> .principal.SimpleWebApplicationServiceImpl@432f5faa[id=https >> ://192.168.111.12:8443/,originalUrl=https://192.168.111.12: >> 8443/,artifactId=<null>,principal=casuser,loggedOutAlr >> eady=false,format=XML]]> >> 2018-05-17 11:50:46,515 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Creating logout request for >> [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin >> alUrl=https://192.168.111.12:8443/,artifactId=<null>, >> principal=casuser,loggedOutAlready=false,format=XML]] and ticket id >> [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]> >> 2018-05-17 11:50:46,517 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Logout request >> [org.apereo.cas.logout.DefaultLogoutRequest@61e23890[ticketI >> d=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo >> .cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa >> [id=https://192.168.111.12:8443/,originalUrl= >> https://192.168.111.12:8443/,artifactId=<null>,principal= >> casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]] >> created for [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin >> alUrl=https://192.168.111.12:8443/,artifactId=<null>, >> principal=casuser,loggedOutAlready=false,format=XML]] and ticket id >> [ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client]> >> 2018-05-17 11:50:46,518 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Logout type registered for >> [org.apereo.cas.authentication.principal.SimpleWebApplicatio >> nServiceImpl@432f5faa[id=https://192.168.111.12:8443/,origin >> alUrl=https://192.168.111.12:8443/,artifactId=<null>, >> principal=casuser,loggedOutAlready=false,format=XML]] is [BACK_CHANNEL]> >> 2018-05-17 11:50:46,519 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Creating back-channel logout >> request based on [org.apereo.cas.logout.DefaultLogoutRequest@61e23890 >> [ticketId=ST-3-Ca79ror-smWCKyQzaBNn0ZYt6l0-client,service=org.apereo >> .cas.authentication.principal.SimpleWebApplicationServiceImpl@432f5faa >> [id=https://192.168.111.12:8443/,originalUrl= >> https://192.168.111.12:8443/,artifactId=<null>,principal= >> casuser,loggedOutAlready=false,format=XML],status=NOT_ATTEMPTED]]> >> 2018-05-17 11:50:46,522 DEBUG >> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] >> - <Generated logout message: [<samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0" >> IssueInstant="2018-05-17T11:50:46Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED >> @</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn >> 0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>]> >> 2018-05-17 11:50:46,522 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Preparing logout request for [ >> https://192.168.111.12:8443/] to [https://192.168.111.12:8443/]> >> 2018-05-17 11:50:46,547 DEBUG [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] - <Prepared logout message to send is >> [org.apereo.cas.logout.LogoutHttpMessage@e0bb76[url=https:// >> 192.168.111.12:8443/,message=<samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-1-vL8zdM8-dQR8rayaAYJJz6d2" Version="2.0" >> IssueInstant="2018-05-17T11:50:46Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED >> @</saml:NameID><samlp:SessionIndex>ST-3-Ca79ror-smWCKyQzaBNn >> 0ZYt6l0-client</samlp:SessionIndex></samlp:LogoutRequest>, >> asynchronous=false,contentType=application/x-www-form-urlencoded,responseCode=0]]. >> Sending...> >> 2018-05-17 11:50:46,659 WARN [org.apereo.cas.logout.Default >> SingleLogoutServiceMessageHandler] -* <Logout message is not sent to >> [https://192.168.111.12:8443/ <https://192.168.111.12:8443/>]; Continuing >> processing...>* >> 2018-05-17 11:50:46,661 INFO [org.apereo.cas.logout.DefaultLogoutManager] >> - <[1] logout requests were processed> >> 2018-05-17 11:50:46,668 INFO [org.apereo.inspektr.audit.sup >> port.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN >> ============================================================= >> WHO: casuser >> WHAT: TGT-2-****************************************************** >> ***eGcHG1JqHs-client >> ACTION: TICKET_GRANTING_TICKET_DESTROYED >> APPLICATION: CAS >> WHEN: Thu May 17 11:50:46 IST 2018 >> CLIENT IP ADDRESS: 192.168.111.12 >> SERVER IP ADDRESS: 192.168.111.12 >> ============================================================= >> >> >> >> On Tue, May 15, 2018 at 11:59 PM, Ray Bon <[email protected]> wrote: >> >> Ramakrishna, >> >> If the TGT is destroyed, then that SSO session is also destroyed even if >> the TGC is not (why TGC is not removed is odd). >> If you are still logged in to the client application, your client may not >> be part of single log out (SLO). It is up to the client to manage its own >> session. >> When you say 'valid ticket', do you mean a new service ticket? >> >> You can try these log4j2 options to see what is happening during the >> logout process: >> >> >> <!-- DEBUG service status and logout process and a lot of details >> --> >> <AsyncLogger name="org.apereo.cas.logout" level="info" /> >> <!-- INFO Performing logout operations for [TGT-...] >> [number] logout requests were processed >> DEBUG ST, principal and URL --> >> <AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager" >> level="info"> >> <Filters> >> <ThresholdFilter level="INFO" onMatch="ACCEPT" >> onMismatch="NEUTRAL" /> >> <RegexFilter regex="Captured logout request.*" >> onMismatch="DENY" /> >> </Filters> >> </AsyncLogger> >> <!-- DEBUG Logout request will be sent to but does not print >> anything when login was through SAML 1.1 --> >> <AsyncLogger name="org.apereo.cas.logout.De >> faultSingleLogoutServiceLogoutUrlBuilder" level="warn" /> >> <!-- DEBUG preparing, processing and logout with URL and ST --> >> <AsyncLogger name="org.apereo.cas.logout.De >> faultSingleLogoutServiceMessageHandler" level="debug" /> >> <!-- DEBUG SAML logout payload --> >> <AsyncLogger name="org.apereo.cas.logout.Sa >> mlCompliantLogoutMessageCreator" level="debug" /> >> >> Ray >> >> On Tue, 2018-05-15 at 15:58 +0530, Ramakrishna G wrote: >> >> On Clicking logout which calls the cas/logout link : >> >> WHO: casuser >> WHAT: TGT-1-****************************************************** >> ***CPmWzMzi-I-client >> ACTION: TICKET_GRANTING_TICKET_DESTROYED >> APPLICATION: CAS >> WHEN: Tue May 15 15:45:17 IST 2018 >> CLIENT IP ADDRESS: 192.168.111.12 >> SERVER IP ADDRESS: 192.168.111.12 >> ============================================================= >> >> >> >> But i can see that in the browser , the TGC cookie still resides , which >> forces me to delete the cookies or close the browser for a fresh login. Is >> there any way to avoid this? >> >> On Sat, May 12, 2018 at 1:45 PM, Ramakrishna G <[email protected]> wrote: >> >> Yes it is redirected to logout page, yet cookies is not removed. When I >> refresh it redirects to application with valid ticket instead of >> redirecting to login page. >> >> >> On Fri, May 11, 2018 at 8:39 PM, Ray Bon <[email protected]> wrote: >> >> Ramakrishna, >> >> If the browser is redirected to /cas/logout, the cookies will/should be >> removed. >> >> Ray >> >> On Fri, 2018-05-11 at 19:30 +0530, Ramakrishna G wrote: >> >> Hello Team, >> >> On logout CAS cookies are not removed from browser. I need to forcefully >> clear. What might be the reason? >> >> Thanks >> Ramakrishna G >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526051367.1797.41.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> >> >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526408970.1817.28.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526573941.1817.65.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> >> >> -- >> Ray Bon >> Programmer analyst >> Development Services, University Systems >> 2507218831 | CLE 019 | [email protected] >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/1526656841.1817.94.camel%40uvic.ca >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1526656841.1817.94.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_%2BLu9abEw4%3DxfoxdrB4_27ikh3Br-KX5P4qtv2ucFgmg%40mail.gmail.com.
