Arkady, Is it possible that the shib SP (or the application) is not configured for SLO?
Ray P.S. Single log out is not what you think it is and it will never do what you want. On Thu, 2022-06-30 at 02:44 -0700, Arkady Keppert wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Not very familiar with the shibboleth configuration, I used this article: https://dacurry-tns.github.io/deploying-apereo-cas/building_samlclient_overview.html But the configuration is basic so the sessions are probably stored in cookies. But it is similar with https://samltest.id/start-idp-test/ and it does not work there either, and I would like to be sure that users are logged out of all websites to which they logged in. I tried with FRONT_CHANNEL logoutType but in Shibboleth logs only this appears: 2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (default / SLO / POST) 2022-06-30 05:02:16 DEBUG OpenSAML.MessageDecoder.SAML2POST [3] [default]: validating input 2022-06-30 05:02:16 DEBUG Shibboleth.Listener [3] [default]: dispatching message (find :: StorageService :: SessionCache) 6/30/2022 05:02:42 INFO XMLTooling.StorageService: purged 1 expired record (s) from storage CAS logs nothing about it The user that wanna logout gets information that: "Logout notification could not be sent" https://sp.uek.krakow.pl/shibboleth For security reasons, close the browser. If understand correctly: https://apereo.github.io/cas/6.5.x/installation/Logout-Single-Signout.html#sso-session-vs-application-session CAS knows nothing about the session. CAS just sends a logout command and Shibboleth waits for the user's session, if not there it states that there is nothing to do. I understand that if someone wants to use our idp, he will have to take the session issues on himself and give us the option of logging out the user without a session cookie ? wtorek, 28 czerwca 2022 o 17:47:29 UTC+2 Ray Bon napisał(a): Arkady, The communication between the two servers looks correct. Cas is sending the logout request (you can decode the SAMLRequest at https://www.samltool.com/decode.php but most of the message is encrypted). How are shib sessions being stored? If with a cookie (which I think is the default), then back channel logout will not work. You can try front channel logout (set in the cas service definition) or change the shib session store to be on the server (db, etc). The logout from shib works when it is initiated from the service. The service destroys the session, _then_ send the logout request to cas, cas then processes all sessions it knows about (including the shib one, but it is already destroyed). Ray On Tue, 2022-06-28 at 01:45 -0700, Arkady Keppert wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I tried it but it still doesn't tell me anything. I got some additional logs maybe someone clould help me ? Correct logout out of shibboleth is posible when i go to https://sp.uek.krakow.pl/Shibboleth.sso/Logout, then shibboleth send information about it to cas and cas destroy ticket then im logout out of other services poniedziałek, 27 czerwca 2022 o 18:44:32 UTC+2 Ray Bon napisał(a): Arkady, These cas loggers may provide some additional information <!-- DEBUG outbound and inbound headers and response --> <AsyncLogger name="org.apache.http.headers" level="warn" /> <!-- DEBUG outbound and inbound headers and response as it is sent --> <AsyncLogger name="org.apache.http.wire" level="warn" /> Ray On Mon, 2022-06-27 at 00:52 -0700, Arkady Keppert wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. I set up the CAS 6.5.2 cluster based on: https://dacurry-tns.github.io/deploying-apereo-cas/introduction_overview.html Everything works nicely outside of the SAML2 SOL services, if I log out of the SAML2 service then the ticket is nicely destroyed and im logged out from all applications, but if I log out of my other services I get the information that: CAS.log 2022-06-27 09: 34: 21,784 WARN [org.apereo.cas.support.saml.web.idp.profile.slo.SamlIdPSingleLogoutServiceMessageHandler] - <No (successful) logout response received from the url [https: // sp .uek.krakow.pl<http://uek.krakow.pl> / Shibboleth.sso / SLO / POST]> 2022-06-27 09: 34: 21,784 WARN [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Logout message is not sent to [AbstractWebApplicationService (id = https: //sp.uek.krakow.pl/shibboleth<http://sp.uek.krakow.pl/shibboleth> , originalUrl = https: //sp.uek.krakow.pl/shibboleth<http://sp.uek.krakow.pl/shibboleth>, artifactId = null, principal = kepperta, source = service, loggedOutAlready = false, format = XML, attributes = {entityId = [https: //sp.uek .krakow.pl<http://krakow.pl> / shibboleth]})]; Continuing processing ...> SAML SP log: 2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: processing front channel logout request with no active session 2022-06-27 03:34:21 INFO Shibboleth.SessionCache [11] [default]: request to logout sessions from (https://sso-test.uek.krakow.pl/cas/idp) for (kepperta) 2022-06-27 03:34:21 INFO Shibboleth.Logout.SAML2 [11] [default]: client's session isn't available, skipping front-channel notifications 2022-06-27 03:34:21 ERROR Shibboleth.Logout [11] [default]: no sessions supplied to back channel notification method When logging in to Shibboleth, a session is created that CAS knows nothing about and when logging out of another service, this session is not transferred to SAML SP, as I wrote earlier, if you logout directly in Shibboleth then SOL works and I am logged out of other services. I tested it on my SAML SP and via the website: https://samltest.id/ or both solutions are based on Shibboleth Has anyone had similar problems and knows how to solve it? -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 | rb...@uvic.ca I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca<mailto:r...@uvic.ca> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/57db7ba886349999f6d0a0d061197d86f15f42f0.camel%40uvic.ca.
