Hello,
We are experiencing an unusual issue. It might be due to a misconfiguration
or a bug.
When performing SAML Single Logout (SLO) using HTTP-POST binding, the
response contains both the SAML logout auto-submit form and also the CAS
logout page, which cause issues with auto-submit behavior.
Environment:
SimpleSAMLphp as an Identity Provider (IdP), CAS 7.1 as a Service Provider
(SP)
Current behaviour:
1. CAS correctly generates SAML LogoutRequest (through pac4j-saml library)
2. Creates an HTML form with auto-submit functionality (through pac4j-saml
library)
3. Sets correct RelayState for return (through pac4j-saml library)
4. However, the response also includes the CAS logout page, resulting in a
combined response (standard spring webflow)
Additional Observations:
- This issue doesn't occur with HTTP-Redirect binding (likely because 302
status prevents rendering).
cas.authn.pac4j.saml[0].logout-request-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# error occurs
#cas.authn.pac4j.saml[0].logout-request-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# is OK
- The SAML form is generated during SAML actions in terminateSession state
- The CAS logout page is added later in the logout flow
Flow Analysis:
1. terminateSession state executes:
- delegatedAuthenticationClientLogoutAction
- delegatedAuthenticationSaml2ClientFinishLogoutAction
- delegatedSaml2ClientTerminateSessionAction
2. Flow continues to logoutView state which adds the CAS logout page
Any assistance would be greatly appreciated.
Kind regards,
Milan
Example of CAS response:
```
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
</head>
<body onload="document.forms[0].submit()">
<noscript>
<p>
<strong>Note:</strong> Since your browser does not support
JavaScript,
you must press the Continue button once to proceed.
</p>
</noscript>
<form
action="https://local.xxx.yyy.cz/simplesaml/module.php/saml/idp/singleLogout"
method="post">
<div>
<input type="hidden" name="RelayState"
value="https://local.xxx.yyy.cz/cas/login?client_name=SimpleSAML"/>
<input type="hidden" name="SAMLRequest" value="PD...dD4="/>
</div>
<noscript>
<div>
<input type="submit" value="Continue"/>
</div>
</noscript>
</form>
</body>
</html><!DOCTYPE html><html lang="en">
<head>
<meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible"
content="IE=edge" /><meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no" /><title>Logout successful - CAS -
Central Authentication Service</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta
name="viewport" content="width=device-width, initial-scale=1,
shrink-to-fit=no"/>
<link rel="stylesheet" type="text/css"
href="/cas/webjars/normalize.css/8.0.1/normalize-112272e51c80ffe5bd01becd2ce7d656.css"
/><link rel="stylesheet" type="text/css"
href="/cas/webjars/bootstrap/5.3.3/css/bootstrap-grid.min-ea688188986141f98fe7c673dd4c34f1.css"
/><link rel="stylesheet" type="text/css"
href="/cas/webjars/material-components-web/14.0.0/dist/material-components-web.min-9da9033e8d04504fe54b3dbb1298fd78.css"
/><link rel="stylesheet" type="text/css"
href="/cas/webjars/mdi__font/7.4.47/css/materialdesignicons.min-2c83c4bce691e18f82409f87b2bf84e4.css"
/><link rel="stylesheet" type="text/css"
href="/cas/webjars/datatables/2.1.0/css/dataTables.dataTables-dd4fd70bec3081bf43eaf1b44606825c.css"
/><link rel="stylesheet" type="text/css"
href="/cas/css/cas-c344b14a22795665456bd29c9c4007f6.css" /><link
rel="stylesheet" type="text/css"
href="/cas/themes/standard/css/cas-custom-91a1a43e65f3bd9385bb00840907affe.css"
/><link rel="shortcut icon"
href="/cas/favicon-ee8c1233d027f8132e38212a2bda6bb4.ico" /></head>
....
```
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cbce7c2-7654-4564-989b-bc8770262e2an%40apereo.org.
