Thanks again for the suggestions. My understanding of logoutUrl was that
this is used by CAS to send the SLO request to, but is not related to the
redirect after logout. I would understand if the redirect has to match the
serviceId, though.
I checked the logs and found this message, which sounds like CAS is trying
to find the SSO session based on the id_token_hint, but does not succeed.
Probably because the token is not stored as a session key, but I don't know
what some of the ticket types mean:
2023-11-14T13:08:31,304Z [http-nio-8080-exec-2] ERROR
o.a.c.t.DefaultTicketCatalog:37 eup.sso.cas {"message": "Ticket definition
for [here comes my id_token] cannot be found in the ticket catalog which
only contains the following ticket types: [[TGT, ST, RT, AT, PT, TST, OC,
SART, ODUC, PGT, SATQ, ODT]]"}
Any other suggestions?
On Friday, November 10, 2023 at 8:56:25 AM UTC+1 Meysam Shirazi wrote:
> Hi Udo
> Change *cas.log.level* to *debug *or make org.apereo.cas.oidc log level
> to trace to see what happening.
> common reason is post_logout_redirect_uri does not match service, means
> post_logout_redirect_uri is not define as logoutUrl or matching service id
> in your service definition.
>
>
> On Friday, November 10, 2023 at 10:29:33 AM UTC+3:30 Udo Einspanier wrote:
>
>> Hi Meysam,
>>
>> thanks for the quick reply. Yes, id_token_hint is part of the URL, I just
>> left it out for brevity but should have included it. So here is the URL
>> from CAS OIDC logout page with all parameters:
>>
>>
>> https://.../cas/oidc/oidcLogout?id_token_hint=...&post_logout_redirect_uri=https://...
>>
>> But still no redirect from CAS to post_logout_redirect_uri.
>>
>> Any other ideas?
>>
>> Thanks,
>> Udo
>>
>> On Friday, November 10, 2023 at 3:41:42 AM UTC+1 Meysam Shirazi wrote:
>>
>>> It needs idToken in id_token_hint url parameters) that contains
>>> clientId, it can be the same id token that be retrieved in login process.
>>> On Thursday, November 9, 2023 at 4:20:04 PM UTC+3:30 Udo Einspanier
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> we have CAS 6.6 as OIDC provider. When our client initiates logout, it
>>>> goes to https://.../cas/oidc/oidcLogout?post_logout_redirect_uri=https:/...
>>>>
>>>> In the YAML configuration we have:
>>>>
>>>> cas:
>>>> logout:
>>>> followServiceRedirects: true
>>>> removeDescendantTickets: true
>>>>
>>>> I would expect CAS to redirect to the URL in parameter
>>>> post_logout_redirect_uri, but instead
>>>> shows a logout page titled "Logout successful" where the user can click
>>>> on the logout URL
>>>> specified in the logout request.
>>>> Is there some additional setting required for OIDC, or are we missing
>>>> something to allow automatic
>>>> redirect without user interaction?
>>>>
>>>> Thanks and best regards,
>>>> Udo
>>>>
>>>>
>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e939a592-d3f3-4b78-b25f-f0b05246ca64n%40apereo.org.
