I am using CAS 5.1.1 which comes with pac4j 2.0.0 On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote: > > Hi, > > Which version of CAS (and pac4j) do you use? Do you have one or more CAS > servers? > Thanks. > Best regards, > Jérôme > > Le jeu. 19 déc. 2019 à 17:28, Filip Majernik <[email protected] > <javascript:>> a écrit : > >> Hi Sarika, >> I am facing the same issue. The SAML logout request to Okta does not >> work. After debugging I have found out that in pac4j's implementation in >> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the >> context, hence no sessionIndex as nameId is added to the request. This >> UserProfile should be created and kept in session after the user has >> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J >> documentation I assume, that there is no CallbackFilter in CAS initialized >> which would store the UserProfile in the session, but I cannot confirm this. >> >> Does anybody know how to make this work? >> >> Thanks, >> Filip >> >> >> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote: >>> >>> Hi, >>> >>> Is there any update on this issue? >>> >>> Thanks in advance. >>> >>> >>> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote: >>>> >>>> Hi Ganesh, >>>> >>>> Sorry for the late reply. >>>> I have checked logs as well, it seems like CAS is not connecting with >>>> OKTA at the time of logout. >>>> >>>> log details: >>>> 2018-09-04 17:29:21,173 DEBUG >>>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >>>> >>>> - <Service [AbstractRegisteredService(serviceId=^https://.*, name=HTTPS, >>>> theme=null, informationUrl=null, privacyUrl=null, responseType=null, >>>> id=10000001, description=This service definition authorizes all >>>> application >>>> urls that support HTTPS and IMAPS protocols., >>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >>>> >>>> notifyWhenDeleted=false, expirationDate=null), >>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >>>> evaluationOrder=10000, >>>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, >>>> >>>> logoutType=BACK_CHANNEL, requiredHandlers=[], >>>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >>>> >>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, >>>> excludedAttributes=null, includeOnlyAttributes=null), >>>> authorizedToReleaseCredentialPassword=false, >>>> authorizedToReleaseProxyGrantingTicket=false, >>>> excludeDefaultAttributes=false, >>>> authorizedToReleaseAuthenticationAttributes=true, >>>> principalIdAttribute=null), allowedAttributes=[]), >>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >>>> >>>> failureMode=NOT_SET, principalAttributeNameTrigger=null, >>>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, >>>> logoutUrl=https://localhost:8443/cas/logout, >>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), >>>> >>>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, >>>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is >>>> not >>>> a SAML service, or its logout url could not be determined> >>>> 2018-09-04 17:29:21,173 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - >>>> <Logout request will be sent to [https://localhost:8443/cas/logout] >>>> for service [AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={})]> >>>> 2018-09-04 17:29:21,174 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>> <Prepared logout url [[https://localhost:8443/cas/logout]] for service >>>> [AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={})]> >>>> 2018-09-04 17:29:21,174 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>> <Creating logout request for [AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>>> 2018-09-04 17:29:21,401 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>>> request >>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>>> service=AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>>> logoutUrl=https://localhost:8443/cas/logout)] created for >>>> [AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id >>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >>>> 2018-09-04 17:29:21,401 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >>>> type registered for [AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]> >>>> 2018-09-04 17:29:21,402 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>> <Creating back-channel logout request based on >>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >>>> service=AbstractWebApplicationService(id= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >>>> https://localhost:8443/vcm/j_spring_cas_security_check, >>>> artifactId=null, [email protected], source=service, >>>> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >>>> logoutUrl=https://localhost:8443/cas/logout)]> >>>> 2018-09-04 17:29:21,478 DEBUG >>>> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >>>> logout message: [<samlp:LogoutRequest >>>> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >>>> ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" >>>> IssueInstant="2018-09-04T17:29:21Z"><saml:NameID >>>> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]> >>>> 2018-09-04 17:29:21,478 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>> <Preparing logout request for [ >>>> https://localhost:8443/vcm/j_spring_cas_security_check] to [ >>>> https://localhost:8443/cas/logout]> >>>> 2018-09-04 17:29:21,485 DEBUG >>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >>>> <Prepared logout message to send is [HttpMessage(url= >>>> https://localhost:8443/cas/logout, >>>> message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, >>>> >>>> responseCode=0, asynchronous=true, >>>> contentType=application/x-www-form-urlencoded)]. Sending...> >>>> 2018-09-04 17:29:21,532 DEBUG >>>> [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message >>>> payload [POST https://localhost:8443/cas/logout HTTP/1.1]> >>>> 2018-09-04 17:29:21,558 INFO >>>> [org.apereo.cas.logout.DefaultLogoutManager] - <[1] logout requests were >>>> processed> >>>> >>>> >>>> I have gone through the CAS codebase, as per my understanding, CAS is >>>> not getting some SAML metadata for a given SP for logout. >>>> I have added "SamlRegisteredService" service registry for the same but >>>> no luck. >>>> >>>> service registry: >>>> >>>> { >>>> "@class" : >>>> "org.apereo.cas.support.saml.services.SamlRegisteredService", >>>> "serviceId" : "urn:herb:saml:pac4j.org", >>>> "name" : "SAMLService", >>>> "id" : 10000003, >>>> "evaluationOrder" : 10, >>>> "metadataLocation" : " >>>> https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"; >>>> } >>>> >>>> Also, I have added logoutType and logoutUrl in >>>> HTTPSandIMAPS-10000001.json registry file as below, >>>> >>>> "logoutType": "BACK_CHANNEL", >>>> "logoutUrl":"https://localhost:8443/cas/logout";, >>>> >>>> >>>> Is there anything missing? >>>> >>>> Thanks, >>>> Sarika D. >>>> >>>> >>>> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote: >>>>> >>>>> Hello everyone, >>>>> >>>>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this >>>>> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ >>>>> CAS properties file should contain such values: keystore path (that >>>>> contains OKTA signing certificate), keystore password and private key >>>>> password. >>>>> OKTA provides signing certificate, so I can create a keystore using >>>>> it. But OKTA does not provide private key for this certificate (or at >>>>> least >>>>> I cannot find it). I cannot left this value empty, because I will receive >>>>> an exception during CAS startup. >>>>> Can anyone help me, how can I configure OKTA integration without >>>>> private key or where I can find it? >>>>> >>>>> Thanks >>>>> >>>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org?utm_medium=email&utm_source=footer> >> . >> >
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9b3cb5d8-452a-4c28-bb74-d330584d1aba%40apereo.org.
