Thanks Ray. For those who may encounter this problem, you can add the idp singleLogOutService URL to the Duo SSO metadata following below guide. https://help.duo.com/s/article/6802?language=en_US
It works for me. On Wednesday, 18 January 2023 at 02:12:28 UTC+8 Ray Bon wrote: > If DUO metadata does not have SingleLogoutService, then they must not > support it. > Does Duo documentation say they support it? > > You could turn up the logging to see if more details are provided, but it > sounds like it is working as expected (except for the blank page). > > Ray > > On Tue, 2023-01-17 at 00:51 -0800, Ps Chu wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi all, > > I have successfully config to delegate the authentication process to DUO > SSO using SAML. > > However, when I try to SLO, the logout request was stop at the CAS server > and do not redirect to DUO SSO to perform Duo session logout. The browser > just only showing the blank page on CAS server URL and didn't redirect back > to the application's logout page at the end. > > When I checked the access log in the CAS server, I can see the incoming > request as below: > "GET /cas/idp/profile/SAML2/Redirect/SLO?SigAlg=XXXXX HTTP/1.1" 200 0 " > http://XXX.XXX.XXX.XXX/"; "Mozilla/5.0 (Windows NT 10.0; Win64; x64; > rv:108.0) Gecko/20100101 Firefox/108.0" > > But it is strange that the http response status was 200 instead of 302 > which I expect the request to be redirected back to the application server. > > Furthermore, if I manually refresh the same CAS URL which stopped at the > browser, the CAS server can response 302 and then redirect the request to > the application server. > > I have checked the cas server log and can only find the following warning, > | 2023-01-17 08:06:17,315 WARN > [org.pac4j.saml.logout.SAML2LogoutActionBuilder] - <Identity provider has > no single logout service available for the selected profile > urn:oasis:names:tc:SAML > :2.0:bindings:HTTP-Redirect> > > On the other hand, the Duo SSO SAML metadata file didn't have the > [SingleLogoutService ] attribute. > > I wonder if it is the cause of my issue. Anyone has the same experience > could give some advices to me? > > Thank you very much. > > ------------------------------ > [image: Baptist University Logo] > > Disclaimer > > This message (including any attachments) may contain confidential > information intended for a specific individual and/or purpose. If you are > not the intended recipient, please delete this message and notify the > sender and the University immediately. Any disclosure, copying, or > distribution of this message, or the taking of any action based on it, is > prohibited as it may be unlawful. > > In addition, the University specifically denies any responsibility for the > accuracy or quality of information obtained through University E-mail > Facilities. Any views and opinions expressed in the email(s) are those of > the author(s), and do not necessarily represent the views and opinions of > the University. The University accepts no liability whatsoever for any > losses or damages that may be incurred or caused to any party as a result > of the use of such information. > > > ------------------------------------------------------------------------------ Disclaimer This message (including any attachments) may contain confidential information intended for a specific individual and/or purpose. If you are not the intended recipient, please delete this message and notify the sender and the University immediately. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is prohibited as it may be unlawful. In addition, the University specifically denies any responsibility for the accuracy or quality of information obtained through University E-mail Facilities. Any views and opinions expressed in the email(s) are those of the author(s), and do not necessarily represent the views and opinions of the University. The University accepts no liability whatsoever for any losses or damages that may be incurred or caused to any party as a result of the use of such information. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dfb138b3-95c7-44ed-807a-e2299fc06efen%40apereo.org.
