I debugged CAS and found strange behavior
1. Keycloak sends correct request to "/idp/profile/SAML2/POST/SLO"
endpoint
2. CAS sends redirect to "/cas/logout" in both cases (http and https)
however session will be invalidated in http mode only
-
https://github.com/apereo/cas/blob/master/support/cas-server-support-saml-idp-web/src/main/java/org/apereo/cas/support/saml/web/idp/profile/slo/AbstractSamlSLOProfileHandlerController.java#L70
3. Java code related to "/cas/logout" doesn't triggered however it
triggers in case I call "/cas/logout" in browser
-
https://github.com/apereo/cas/blob/master/core/cas-server-core-logout-api/src/main/java/org/apereo/cas/logout/DefaultLogoutManager.java#L37
Why code related to "/cas/logout" doesn't triggered?
On Wednesday, March 18, 2020 at 5:29:09 PM UTC+2, Maksim Kopeyka wrote:
>
> I excluded nginx from my local env so I have only executable CAS.war and
> keycloak.
> I configured CAS to use SSL in this way:
>
> server.ssl.enabled=true
> server.ssl.key-store-type=JKS
> server.ssl.key-store=C:/Environment/jdk-11.0.5/bin/caskeystore.jks
> server.ssl.key-store-password=changeit
> server.ssl.key-alias=my.cas.com
>
> Backchannel logout doesn't work. Looks like SSL causes this issue, doesn't
> matter it's nginx or embedded tomcat.
>
> On Tuesday, March 17, 2020 at 11:49:34 PM UTC+2, Maksim Kopeyka wrote:
>>
>> Ray,
>>
>> I have had some issues related to self-signed certificate on my local
>> env. CAS and Keycloak produced exception related to certificate and flow
>> didn't work at all.
>> I regenerated certificate for domain instead of 127.0.0.1 and all
>> exceptions were gone. So it's not an issue with certificate.
>> Also I have the same problem on real environment with real certificate.
>> It also works fine without SSL but with SSL CAS session stay alive after
>> logout in keycloak.
>>
>> On Tuesday, March 17, 2020 at 5:44:35 PM UTC+2, rbon wrote:
>>>
>>> Maksim,
>>>
>>> Could this be a certificate issue?
>>>
>>> If this is self signed certificate, you will need to add it to the java
>>> keystore (trust store).
>>> https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
>>>
>>> Ray
>>>
>>> On Mon, 2020-03-16 at 16:46 -0700, 'Maksim Kopeyka' via CAS Community
>>> wrote:
>>>
>>> That's interesting. Backchannel logout works in case load balancer of
>>> CAS (nginx) doesn't use SSL however backchannel doesn't work in case nginx
>>> uses SSL.
>>> I see the same output in console of CAS server in both cases (with SSL
>>> and without SSL)
>>>
>>> --
>>>
>>> Ray Bon
>>> Programmer Analyst
>>> Development Services, University Systems
>>> 2507218831 | CLE 019 | [email protected]
>>>
>>> I respectfully acknowledge that my place of work is located within the
>>> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
>>> WSÁNEĆ Nations.
>>>
>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f7a364f-a4b6-4644-bd8d-6f86ce16e4ef%40apereo.org.
