Hi Ganesh, Sorry for the late reply. I have checked logs as well, it seems like CAS is not connecting with OKTA at the time of logout.
log details: 2018-09-04 17:29:21,173 DEBUG [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] - <Service [AbstractRegisteredService(serviceId=^https://.*, name=HTTPS, theme=null, informationUrl=null, privacyUrl=null, responseType=null, id=10000001, description=This service definition authorizes all application urls that support HTTPS and IMAPS protocols., expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, notifyWhenDeleted=false, expirationDate=null), proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, evaluationOrder=10000, usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, logoutType=BACK_CHANNEL, requiredHandlers=[], attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, principalAttributesRepository=DefaultPrincipalAttributesRepository(), consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, excludedAttributes=null, includeOnlyAttributes=null), authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, excludeDefaultAttributes=false, authorizedToReleaseAuthenticationAttributes=true, principalIdAttribute=null), allowedAttributes=[]), multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], failureMode=NOT_SET, principalAttributeNameTrigger=null, principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, logoutUrl=https://localhost:8443/cas/logout, accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not a SAML service, or its logout url could not be determined> 2018-09-04 17:29:21,173 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://localhost:8443/cas/logout] for service [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={})]> 2018-09-04 17:29:21,174 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout url [[https://localhost:8443/cas/logout]] for service [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={})]> 2018-09-04 17:29:21,174 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating logout request for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={})] and ticket id [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> 2018-09-04 17:29:21,401 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout request [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=https://localhost:8443/cas/logout)] created for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={})] and ticket id [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> 2018-09-04 17:29:21,401 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout type registered for [AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]> 2018-09-04 17:29:21,402 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Creating back-channel logout request based on [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, service=AbstractWebApplicationService(id=https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, [email protected], source=service, loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=https://localhost:8443/cas/logout)]> 2018-09-04 17:29:21,478 DEBUG [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated logout message: [<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" IssueInstant="2018-09-04T17:29:21Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]> 2018-09-04 17:29:21,478 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Preparing logout request for [https://localhost:8443/vcm/j_spring_cas_security_check] to [https://localhost:8443/cas/logout]> 2018-09-04 17:29:21,485 DEBUG [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=https://localhost:8443/cas/logout, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, responseCode=0, asynchronous=true, contentType=application/x-www-form-urlencoded)]. Sending...> 2018-09-04 17:29:21,532 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://localhost:8443/cas/logout HTTP/1.1]> 2018-09-04 17:29:21,558 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were processed> I have gone through the CAS codebase, as per my understanding, CAS is not getting some SAML metadata for a given SP for logout. I have added "SamlRegisteredService" service registry for the same but no luck. service registry: { "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId" : "urn:herb:saml:pac4j.org", "name" : "SAMLService", "id" : 10000003, "evaluationOrder" : 10, "metadataLocation" : "https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"; } Also, I have added logoutType and logoutUrl in HTTPSandIMAPS-10000001.json registry file as below, "logoutType": "BACK_CHANNEL", "logoutUrl":"https://localhost:8443/cas/logout";, Is there anything missing? Thanks, Sarika D. On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote: > > Hello everyone, > > I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this > tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ > CAS properties file should contain such values: keystore path (that > contains OKTA signing certificate), keystore password and private key > password. > OKTA provides signing certificate, so I can create a keystore using it. > But OKTA does not provide private key for this certificate (or at least I > cannot find it). I cannot left this value empty, because I will receive an > exception during CAS startup. > Can anyone help me, how can I configure OKTA integration without private > key or where I can find it? > > Thanks > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4a6c8cbd-76d8-4963-b3d8-6499e1775c98%40apereo.org.
