Neha,

Our wordpress uses disk based sessions, a file like 'sess_ST-...'. Logout is 
performed by deleting these files. I do not see where this file is created in 
the code. I suspect that it might be part of phpCAS but I have not worked with 
its session options much.
Maybe there are phpCAS config options for managing the session.

In our Moodle install, I created a map between the Moodle created session id 
and the ST and stored that in a redis cache. When the logout request comes in, 
I look for the ST in the cache and kill the associated session.

Ray



On Mon, 2018-08-06 at 01:31 -0700, Neha Gupta wrote:
Hello Ray,

Thanks a lot for reply.
Yes i am able to access the logoutUrl without being logged-in.
May be we wait for the wordpress expert and his advice as to what can be done.

Wish you a nice day ahead.


Regards
Neha Gupta


On Friday, August 3, 2018 at 8:58:08 PM UTC+2, rbon wrote:
Neha,

Is it possible that LogoutUrl is protected by CAS? (That is, can you access 
LogoutUrl without being logged in?)
Our word press expert is away until at least Tuesday so I will ask how logout 
is set up then.

Ray

On Fri, 2018-08-03 at 02:22 -0700, Neha Gupta wrote:
Hello Ray,

Thanks for the update.

I have already configured "LogoutUrl" in the service registry but the problem 
is that in response i am receiving 302 error with the other URL in the 
"Location" header.
When i fire the same logout URL from a new tab then i got logged out from the 
wordpress site but when it  is done through CAS it is not and reason for the 
same is that CAS just fires HTTP POST request once and not again and again when 
302 error is received.
So just want to know whether is there any configuration available in CAS by 
which we can redirect CAS to fire HTTP POST this number of times? or how this 
can be done.

Thanks and Wish you a nice weekend ahead.

Regards
Neha Gupta


On Thursday, August 2, 2018 at 6:21:11 PM UTC+2, rbon wrote:
Neha,

By default CAS will send the logout to the URL that was used for login. If 
Wordpress has a different URL, you can set that in the service definition, 
https://apereo.github.io/cas/5.3.x/installation/Logout-Single-Signout.html#slo-requests

Ray

On Thu, 2018-08-02 at 02:52 -0700, Neha Gupta wrote:
Hello Ray,

Issue is solved with the ASP application. Now when /cas/logout is called from a 
new tab, ASP application is also getting logged out. The reason is certificate 
as stated by you and some configuration in web.config of ASP application. After 
activating debug traces for "org.apache.http" in "log4j2.xml" came to know 
about the reason and finally solved.

Also problem is still there with the Wordpress site. SLO is not working for it. 
The reason for the same is that in return of HTTP POST request for logout is 
getting response as 302 with other URL in the header field "Location" and CAS 
is not sending again HTTP POST request. Is there any configuration where we can 
instruct CAS to send HTTP POST request again in case 302 is received. I am 
using WP Cassify plugin for integrating Wordpress site with CAS.


Thanks a lot for all your support.


Regards
Neha Gupta

On Tuesday, July 31, 2018 at 5:26:38 PM UTC+2, rbon wrote:
Neha,

The debug message looks like CAS is not sending the logout (are the clients 
pac4j?).
You have to install the certificate in java keystore. Look into keytool, which 
comes with java, to install certificates.

Ray

On Mon, 2018-07-30 at 03:01 -0700, Neha Gupta wrote:
Hello Ray,

Thanks for the update.
I tried adding below configuration in the "cas.properties" file: -

cas.httpClient.connectionTimeout=5000
cas.httpClient.asyncTimeout=5000
cas.httpClient.readTimeout=5000
cas.httpClient.truststore.psw=changeit
cas.httpClient.truststore.file="C:\Users\Administrator.IDIV-DEV1\.keystore"

where this keystore contains the certificates of ASP app but still not success. 
I tried putting logs in the "CasLogOff" function present in the ASP app but  it 
is not getting hit when /cas/logout is called from a new tab.

Also in CAS traces i have seen below error. May be this can be the reason.

2018-07-26 11:52:36,908 DEBUG 
[org.apereo.cas.support.pac4j.web.flow.SAML2ClientLogoutAction] - <The current 
client is not a SAML2 client or it cannot be found at all, no logout action 
will be executed.>


Thanks in advance

Regards
Neha Gupta


On Friday, July 27, 2018 at 6:41:41 PM UTC+2, rbon wrote:
Neha,

Try to get some debug information from the clients.
Does the request reach from CAS server to client (curl 
https://idiv-dev1:3556/Account/CasLogOff)?
Put debug statements in CasLogOff method.
Check your certificates. Your clients trust CAS (login works) but for logout, 
CAS needs to trust your clients.

Ray

On Fri, 2018-07-27 at 05:53 -0700, Neha Gupta wrote:
Hello Ray,

Firing /cas/logout does not log out the applications and the traces looks same.
Below is the Logout function present in the ASP application: -

 public void CasLogOff()
        {
            FormsAuthentication.SignOut();
            DotNetCasClient.CasAuthentication.SingleSignOut();
        }

and below is the service registry in CAS: -
{
  "@class" : "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" : "https://idiv-dev1:3556/.*";,
  "name" : "BEXIS",
  "id" : 10000002,
  "description" : "This authorizes the BEXIS service.",
   "logoutUrl" : "https://idiv-dev1:3556/Account/CasLogOff";,
  "logoutType" : "BACK_CHANNEL",
  "evaluationOrder" : 10001
}


when i call URL"https://idiv-dev1:3556/Account/CasLogOff"; in new tab then i am 
logged out from CAS as well ASP application as defined in the function but why 
cas is not able to make single logout.
I am not able to get what is wrong in the configuration.


Regards
Neha Gupta


On Thursday, July 26, 2018 at 6:07:47 PM UTC+2, rbon wrote:
Neha,

The log says '[2] logout requests were processed'. Perhaps it is your clients 
that are not processing the CAS logout correctly. You can go to /cas/logout in 
a new tab, CAS log should look the same but are you logged out of your apps?

As for the tickets being removed, it could be your ticket store is returning 
confusing response or that the ST was removed already (when it was validated).

Ray

On Thu, 2018-07-26 at 07:01 -0700, Neha Gupta wrote:
Hello CAS Team,

I have integrated Wordpress site with CAS and i am using WPCassify plugin for 
the same.
Now i have another ASP application and integrated it with CAS through 
DotNetCasClient.

Now my Single SignOn is working fine with both the applications i.e if i login 
in my wordpress website and go to ASP application then i got automatically 
logged into my ASP application but when i logged out from any of the 
application then i am not logged out from the other application.

Attached are the traces of CAS and it seems that CAS is creating some logout 
request and finally unable to remove the tickets. I don't have any idea how to 
proceed further.
Request you to please help me out

Thanks in advance.


Regards
Neha Gupta


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca<javascript:>


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1533773390.2842.52.camel%40uvic.ca.

Reply via email to