Hi Ray, I have already set cas.logout.follow-service-redirects=true. To my understanding this property only works if the client is triggering a logout using the CAS protocol (/logout endpoint) with a service= parameter. As my client is using SAML2, It is triggering via /idp/profile/SAML2/POST/SLO endpoint which doesn't accept the service= parameter
Thanks, Wilson On Tuesday, January 14, 2025 at 11:18:45 AM UTC+8 Ray Bon wrote: > Wilson, > > Docs mention > cas.logout.follow-service-redirects > which is false by default. > > Set it to true. > > > https://apereo.github.io/cas/7.1.x/installation/Logout-Single-Signout.html#cas-logout > > Ray > > On Mon, 2025-01-13 at 02:17 -0800, Wilson Goh wrote: > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hi, > > I am trying to implement delegated authentication to Microsoft Entra (AAD) > with SAML2. > Currently I have successfully implemented login from SP -> CAS -> Entra. > However, I am encountering issues with logout. > > SP uses SAML to communicate with CAS and CAS uses SAML to communicate with > Entra. > When I initiate logout from SP , it will POST /idp/profile/SAML2/POST/SLO > with a LogoutRequest to CAS. CAS will then handle the request and sends a > LogoutRequest to Entra. > However, the issue I'm having is that the end page ends at > {cas}/logout?service=. It does not redirect back to the SP's callback. > > Is there anyway i can redirect back to SP's callback? > > config: > > cas.authn.saml-idp.core.entity-id=https://{cas}/idp > > cas.authn.saml-idp.metadata.file-system.location=file:/etc/cas/saml/saml-idp > > cas.authn.pac4j.saml[0].client-name=entra > cas.authn.pac4j.saml[0].service-provider-entity-id=https://{cas}/cas > > cas.authn.pac4j.saml[0].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST > cas.authn.pac4j.saml[0].keystore-path={keystore} > cas.authn.pac4j.saml[0].keystore-password=changeit > cas.authn.pac4j.saml[0].private-key-password=changeit > > cas.authn.pac4j.saml[0].metadata.identity-provider-metadata-path={entra-metdata} > > cas.authn.pac4j.saml[0].metadata.service-provider.file-system.location={cas-sp-metadata} > cas.authn.pac4j.saml[0].wants-responses-signed=true > cas.authn.pac4j.saml[0].use-name-qualifier=false > cas.authn.pac4j.saml[0].sign-service-provider-logout-request=true > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/502558fe-47e4-4c01-80e9-e6ef1fc23f89n%40apereo.org.
