You were right on the first guess, Google was logging the user out, however, since CAS never properly saw the logout, it could not destroy / invalidate the ticket. It turns out something was entered incorrectly on Google's side. Once I changed the logout URL to the /cas/logout endpoint, without typos, I was able to successfully logout from both CAS and Google mail.
-Jeremiah Garmatter, Systems Administrator -Ohio Northern University, Class of 2020 -Work: 419-772-1074 Cell: 419-672-8685 [email protected] On Mon, Aug 17, 2020 at 11:52 AM Richard Frovarp <[email protected]> wrote: > I haven't chased down logout operation. You're going to need to look, but > I'm guessing that they are getting logged out on the Google side, but an > SSO session is still active in the IdP? Or is it after logout it isn't > doing a logout on Google side? > > On Mon, 2020-08-17 at 08:29 -0700, Jeremiah Garmatter wrote: > > Richard, > > I've got one more question for you. > First, I'd like to say that all of the sign-in procedure worked perfectly, > so thank you for that. > > The only problem I have now is with the logout URL on Google. Before we > could set up the SSO, we had to enter a logout URL for Google to use. At > first, I tried the /idp/profile/SAML2/Redirect/SLO endpoint, but after the > redirect, I get a 500 internal error stating " Error: No SAMLRequest or > SAMLResponse query path parameter, invalid SAML 2 HTTP Redirect message " > as I am redirected to https://XXXXX/cas/idp/profile/SAML2/Redirect/SLO. I > then realized that, despite being a SAML2 provider, when attempting to > access my gsuitetest gmail account, I was redirected to > https://XXXXX/cas/login?service=<big service string>. This lead me to > believe that I could use the /cas/logout endpoint as the logout URL ( > https://XXXXXX/cas/logout). I was greeted with the "logout successful" > page, but when I open a new tab to access my gsuitetest email, I was not > prompted to enter my credentials, I could access my emails as if the cookie > was still in use. > > I was wondering if you knew how to properly sign a google user out of > their email with the logout URL field on Google? > > On Friday, August 14, 2020 at 12:10:39 PM UTC-4 Jeremiah Garmatter wrote: > > Sweet, thanks for all this Richard, you've saved me a lot of headache. > > -Jeremiah Garmatter, Systems Administrator > -Ohio Northern University, Class of 2020 > -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 > <(419)%20672-8685> > [email protected] > > On Fri, Aug 14, 2020 at 12:06 PM Richard Frovarp <[email protected]> > wrote: > > I think that's controlled by the metadata, and my notes below say 1.1 > unspecified. > > On Fri, 2020-08-14 at 12:03 -0400, Jeremiah Garmatter wrote: > > Ah, I see now. I should have mentioned that, in our case, the username is > being sent to google as well, just through that attribute. When you set up > google's single sign on, did google's side inform you of the namespace they > are expecting usernames to come in as? > > -Jeremiah Garmatter, Systems Administrator > -Ohio Northern University, Class of 2020 > -Work: 419-772-1074 <(419)%20772-1074> Cell: 419-672-8685 > <(419)%20672-8685> > [email protected] > > > On Fri, Aug 14, 2020 at 10:24 AM Richard Frovarp <[email protected]> > wrote: > > Yeah, you'll need to treat it like any other SAML2 service, including > using the SamlRegisteredService configuration. Not entirely sure about > attribute release. In our case, releasing the default username is all we > need to make it work. But it should be like any other SAML2 service. > > The difference is they used to have a helper that simplified the SAML2 > bits for this service. That has been deprecated, and it actively interferes > with other SAML2 services. Hence the change. > > On Fri, 2020-08-14 at 05:54 -0700, Jeremiah Garmatter wrote: > > Richard, > > Thank you for the advice on this. We have started the creation process of > our gsuitetest subdomain. While waiting for Google to verify ownership, I'd > like to probe your brain some more. > In the past (CAS 5.2), using that Googleapps SAML dependency allowed you > to configure the Google service with the > *org.apereo.cas.services.RegexRegisteredService* class, if memory serves. > Are you saying that I'll have to change the service entry to use the > *org.apereo.cas.support.saml.services.SamlRegisteredService* class and > configure it as a SAML2 service now? That's not an issue if I do, but I'm > confused by that difference. > > Also, in the past vesion of CAS, I believe we sent uid attributes to > Google , if I release that through SAML2, will I need to specify the > namespace used (something like urn:oid:0.9.2342.19200300.100.1.1 )? > > On Monday, August 3, 2020 at 2:00:59 PM UTC-4 richard.frovarp wrote: > > No, there isn't You configure it as a SAML 2 provider. This means you have > to craft the metadata by hand. Also, it is beyond deprecated as it will > kill your other SAML integrations. So it's best to just do a pure SAML > setup with it. Here's the draft set of instructions I put together. I need > to get these publish on the public Internet somewhere, as I suspect they > would be useful to others: > > G Suite now offers test domains for testing things. This can be used to > validate SSO settings and changes. > > So first you may want to change to "Use a domain specific issuer" to > differentiate between your normal instance and the test one. That will > result in a issuer looking like this: > > google.com/a/gsuitetest.ndsu.edu > > instead of > > google.com > > The Sign-in page URL is this off of your IdP > > cas/idp/profile/SAML2/Redirect/SSO > > The certificate provided needs to be your SAML 2 signing certificate. > > From here you will need to generate metadata to give CAS. You can use this > service to generate the metadata: > > https://www.samltool.com/sp_metadata.php > > Values: > > Entity ID: The issuer, which in my case is > google.com/a/gsuitetest.ndsu.edu > > ACS Endpoint: This can be got by doing a test auth from G Suite and using > SAML Tracer, but looks like this for my test domain: > https://www.google.com/a/gsuitetest.ndsu.edu/acs > > Nameid Format: Leave at 1.1 unspecified > > You don't need a cert. You need to upload your SAML certificate to Google > so that it can verify the response. > > You will need to edit the generated metadata to remove the "validUntil" > attribute, as it is set to expire very quickly. > > > On Mon, 2020-08-03 at 10:50 -0700, Jeremiah Garmatter wrote: > > Hello, > > I've recently upgraded my CAS server from 5.3.14 to 6.2.1 and had a > question about Google Apps integration. > > On the older system, there was a gradle dependency for google apps SAML: > implementation > "org.apereo.cas:cas-server-support-saml-googleapps:${project.'cas.version'}" > > > I get a deprecation warning when using this: > CAS integration with Google Apps is now deprecated and scheduled to be > removed in the future. The functionality is now redundant and unnecessary > with CAS able to provide SAML2 identity provider features.To handle the > integration, you should configure CAS to act as a SAML2 identity provider > and remove this integration from your deployment to protected against > future removals and surprises.> > > I've changed to use the SAML 2 dependency: > implementation > "org.apereo.cas:cas-server-support-saml-idp:${project.'cas.version'}" > but I'm not sure what to do about Google's properties. There were > properties defined for public and private keys within cas.properties: > cas.google-apps.private-key-location= > cas.google-apps.public-key-location= > cas.google-apps.key-algorithm=RSA > > Are there equivalent properties for SAML2? > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/hglzuGZMIWg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/03c5e613172ba07fdcb4c8acf1adc1393103e2f4.camel%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/03c5e613172ba07fdcb4c8acf1adc1393103e2f4.camel%40ndsu.edu?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/hglzuGZMIWg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/9653d7e5f1b3d3116e7967fced60c7ffcff3c455.camel%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9653d7e5f1b3d3116e7967fced60c7ffcff3c455.camel%40ndsu.edu?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/hglzuGZMIWg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcbf5adbbb928bf9ace23c874e7cbd1be25de67e.camel%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/bcbf5adbbb928bf9ace23c874e7cbd1be25de67e.camel%40ndsu.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABX%3DCB1%2BQGwgBMUD%3DSGAUCMk-dyDmCrR4s-OayGR20r_qoW0xw%40mail.gmail.com.
