Hi, Which version of CAS (and pac4j) do you use? Do you have one or more CAS servers? Thanks. Best regards, Jérôme
Le jeu. 19 déc. 2019 à 17:28, Filip Majernik <[email protected]> a écrit : > Hi Sarika, > I am facing the same issue. The SAML logout request to Okta does not work. > After debugging I have found out that in pac4j's implementation in > SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the > context, hence no sessionIndex as nameId is added to the request. This > UserProfile should be created and kept in session after the user has > successfully authenticated in the IdP, but it isn't. Looking at the Pac4J > documentation I assume, that there is no CallbackFilter in CAS initialized > which would store the UserProfile in the session, but I cannot confirm this. > > Does anybody know how to make this work? > > Thanks, > Filip > > > On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote: >> >> Hi, >> >> Is there any update on this issue? >> >> Thanks in advance. >> >> >> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote: >>> >>> Hi Ganesh, >>> >>> Sorry for the late reply. >>> I have checked logs as well, it seems like CAS is not connecting with >>> OKTA at the time of logout. >>> >>> log details: >>> 2018-09-04 17:29:21,173 DEBUG >>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >>> - <Service [AbstractRegisteredService(serviceId=^https://.*, >>> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null, >>> responseType=null, id=10000001, description=This service definition >>> authorizes all application urls that support HTTPS and IMAPS protocols., >>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >>> notifyWhenDeleted=false, expirationDate=null), >>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >>> evaluationOrder=10000, >>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, >>> logoutType=BACK_CHANNEL, requiredHandlers=[], >>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, >>> excludedAttributes=null, includeOnlyAttributes=null), >>> authorizedToReleaseCredentialPassword=false, >>> authorizedToReleaseProxyGrantingTicket=false, >>> excludeDefaultAttributes=false, >>> authorizedToReleaseAuthenticationAttributes=true, >>> principalIdAttribute=null), allowedAttributes=[]), >>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >>> failureMode=NOT_SET, principalAttributeNameTrigger=null, >>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, >>> logoutUrl=https://localhost:8443/cas/logout, >>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), >>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, >>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not >>> a SAML service, or its logout url could not be determined> >>> 2018-09-04 17:29:21,173 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - >>> <Logout request will be sent to [https://localhost:8443/cas/logout] for >>> service [AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={})]> >>> 2018-09-04 17:29:21,174 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>> <Prepared logout url [[https://localhost:8443/cas/logout]] for service >>> [AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={})]> >>> 2018-09-04 17:29:21,174 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>> <Creating logout request for [AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>> 2018-09-04 17:29:21,401 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>> request >>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>> service=AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>> logoutUrl=https://localhost:8443/cas/logout)] created for >>> [AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>> 2018-09-04 17:29:21,401 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>> type registered for [AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]> >>> 2018-09-04 17:29:21,402 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>> <Creating back-channel logout request based on >>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>> service=AbstractWebApplicationService(id= >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>> https://localhost:8443/vcm/j_spring_cas_security_check, >>> artifactId=null, [email protected], source=service, >>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>> logoutUrl=https://localhost:8443/cas/logout)]> >>> 2018-09-04 17:29:21,478 DEBUG >>> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >>> logout message: [<samlp:LogoutRequest >>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>> ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" >>> IssueInstant="2018-09-04T17:29:21Z"><saml:NameID >>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ >>> </saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]> >>> 2018-09-04 17:29:21,478 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>> <Preparing logout request for [ >>> https://localhost:8443/vcm/j_spring_cas_security_check] to [ >>> https://localhost:8443/cas/logout]> >>> 2018-09-04 17:29:21,485 DEBUG >>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>> <Prepared logout message to send is [HttpMessage(url= >>> https://localhost:8443/cas/logout, >>> message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, >>> responseCode=0, asynchronous=true, >>> contentType=application/x-www-form-urlencoded)]. Sending...> >>> 2018-09-04 17:29:21,532 DEBUG >>> [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message >>> payload [POST https://localhost:8443/cas/logout HTTP/1.1]> >>> 2018-09-04 17:29:21,558 INFO >>> [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were >>> processed> >>> >>> >>> I have gone through the CAS codebase, as per my understanding, CAS is >>> not getting some SAML metadata for a given SP for logout. >>> I have added "SamlRegisteredService" service registry for the same but >>> no luck. >>> >>> service registry: >>> >>> { >>> "@class" : >>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>> "serviceId" : "urn:herb:saml:pac4j.org", >>> "name" : "SAMLService", >>> "id" : 10000003, >>> "evaluationOrder" : 10, >>> "metadataLocation" : " >>> https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"; >>> } >>> >>> Also, I have added logoutType and logoutUrl in >>> HTTPSandIMAPS-10000001.json registry file as below, >>> >>> "logoutType": "BACK_CHANNEL", >>> "logoutUrl":"https://localhost:8443/cas/logout";, >>> >>> >>> Is there anything missing? >>> >>> Thanks, >>> Sarika D. >>> >>> >>> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote: >>>> >>>> Hello everyone, >>>> >>>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this >>>> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ >>>> CAS properties file should contain such values: keystore path (that >>>> contains OKTA signing certificate), keystore password and private key >>>> password. >>>> OKTA provides signing certificate, so I can create a keystore using it. >>>> But OKTA does not provide private key for this certificate (or at least I >>>> cannot find it). I cannot left this value empty, because I will receive an >>>> exception during CAS startup. >>>> Can anyone help me, how can I configure OKTA integration without >>>> private key or where I can find it? >>>> >>>> Thanks >>>> >>> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279LybTyQJegcc1k-JKpgx78dZmxqWcK9s-y16keujpC6F2A%40mail.gmail.com.
