Thanks for your request Rey. I appreciate it. I agree with you, but first I had a meeting with a Microsoft technical. He said us that is the Microsoft SAML behaviour. He will report the issue to other department, but it isn't plan to change it soon.
At this situation we think about accept saml logout request without signing in our CAS instance. Considering it calmly, accept logout request without signing isn't a security issue. It's only a logut request. Obviusly we know that in an ideal situation it's better to accept logout request with signing. We haven't better options at now. We are thinking about to do a custom implementation ¿Do you know any better CAS options? Thanks so much. Enrique. El sábado, 18 de diciembre de 2021 a las 19:39:51 UTC+1, Ray Bon escribió: > Enrique, > > > This is a security shortcoming in the office 365 config. You do not want > to accept unsigned logout requests. > > First try to fix office 365. > > > Ray > > > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Enrique > Guerrero <[email protected]> > *Sent:* December 17, 2021 02:02 > *To:* CAS Community > *Subject:* [cas-user] CAS 6.4.4.1 Microsoft SAML logout request failed > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi there. > > I'm using CAS (v.6.4.4.1) as Idp for users who want to use Office 365. I > configure the integration following the next guide: > https://apereo.github.io/2018/12/06/cas53-office365-saml2-integration/ > > The login and SSO session was great through SAML protocol. The fail exits > at logout. We saw that Microsoft send the SAML Logout Request without > signing. This cause an error on CAS which inform that the validation of > request simple signature failed for context issuer: > "urn:federation:MicrosoftOnline". > > I attempted to allow saml logout request without signing following this > properties (cas.authn.saml-idp.logout.force-signed-logout-requests=false > ): > https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#saml-logout > > , but this doesn't do nothing. > > This SAML Logout fail doesn't happen in our integration with Cisco Webex. > Cisco send us the SAML logout request with a valid signing, this cause a > correct logout on CAS. > > ======================================================================= > > These are the Microsoft SAML Logout Request and CAS log: > > <samlp:LogoutRequest > ID="_432d86e3-f344-4f1e-b553-a6c49e38ce2c" > Version="2.0" > IssueInstant="2021-11-42T19:10:29.132Z" > > Destination="https://<OUR_CAS_INSTANCE>/cas/idp/profile/SAML2/Redirect/SLO" > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> > > <Issuer > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">urn:federation:MicrosoftOnline</Issuer> > > <NameID > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">localUsername</NameID> > > <samlp:SessionIndex>ST-13-ZXChfuWEi-uGlIlVejtucpHznlw-sv0181</samlp:SessionIndex> > > </samlp:LogoutRequest> > > ======================================================================= > > 2021-11-24 19:10:29,947 ERROR > [org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter] > > - <NullPointerException> java.lang.NullPointerException: null at > org.apereo.cas.support.saml.services.SamlIdPEntityIdAuthenticationServiceSelectionStrategy.supports(SamlIdPEntityIdAuthenticationServiceSelectionStrategy.java:48) > > ~[cas-server-support-saml-idp-metadata-6.4.2.jar:6.4.2] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.lambda$resolveService$0(DefaultAuthenticationServiceSelectionPlan.java:38) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:176) > ~[?:?] at > java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1631) > ~[?:?] at > java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502) > > ~[?:?] at > java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488) > ~[?:?] at > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) > ~[?:?] at > java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150) ~[?:?] > at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > ~[?:?] at > java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543) > ~[?:?] at > org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan.resolveService(DefaultAuthenticationServiceSelectionPlan.java:39) > > ~[cas-server-core-authentication-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.getRegisteredServiceFromRequest(RegisteredServiceResponseHeadersEnforcementFilter.java:205) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.services.web.support.RegisteredServiceResponseHeadersEnforcementFilter.prepareFilterBeforeExecution(RegisteredServiceResponseHeadersEnforcementFilter.java:63) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apereo.cas.web.support.filters.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:184) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.cas.web.support.filters.AddResponseHeadersFilter.doFilter(AddResponseHeadersFilter.java:62) > > ~[cas-server-core-web-api-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:204) > > ~[spring-security-web-5.5.2.jar:5.5.2] at > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:183) > > ~[spring-security-web-5.5.2.jar:5.5.2] at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:96) > > ~[spring-boot-actuator-2.5.4.jar:2.5.4] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:99) > > ~[cas-server-core-logging-6.4.2.jar:6.4.2] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:66) > > ~[inspektr-common-1.8.16.GA.jar:1.8.16.GA] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) > > ~[spring-boot-2.5.4.jar:2.5.4] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) > > ~[spring-web-5.3.9.jar:5.3.9] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > > ~[log4j-web-2.14.1.jar:2.14.1] at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > ~[catalina.jar:9.0.30] at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > ~[catalina.jar:9.0.30] at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > > ~[catalina.jar:9.0.30] at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > ~[catalina.jar:9.0.30] at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) > ~[tomcat-coyote.jar:9.0.30] at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598) > > ~[tomcat-coyote.jar:9.0.30] at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > > ~[tomcat-coyote.jar:9.0.30] at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > > ~[?:?] at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > > ~[?:?] at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > ~[tomcat-util.jar:9.0.30] at java.lang.Thread.run(Thread.java:834) [?:?] > 2021-11-24 19:10:30,031 WARN > [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] > > - <Message Handler: Simple signature validation (with no request-derived > credentials) failed> 2021-11-24 19:10:30,032 WARN > [org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler] > > - <Message Handler: Validation of request simple signature failed for > context issuer: urn:federation:MicrosoftOnline> > > Do you know the way to accept saml logout request without signing by CAS? > > Thanks so much for your support! > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1262758a-d89f-4ee1-9ff7-474035ce9933n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1262758a-d89f-4ee1-9ff7-474035ce9933n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/109e2ea9-a255-4a88-95b5-85f093314fc9n%40apereo.org.
