- Enable SLO for the CAS server. - Optionally, log out of app 1
- Issue a request to log out of CAS with /cas/logout, provide a parameter that would return you back to app1 - Logging out of CAS will automatically log you out of everything else, provided those apps can interpret the SLO message via some sort of CAS client. Note that you can’t guarantee that you’d always go back to app1. It depends on where the flow starts and who starts it. From: Gianluca Diodato [mailto:[email protected]] Sent: Wednesday, May 20, 2015 6:08 AM To: [email protected] Cc: [email protected]; [email protected] Subject: Re: [cas-user] Empty Attribute Map Hi Misagh, I solved my problems with attributes and SAML protocol. Now, I need to understand how to implements a right logout and slo for my app clients in Java. My configuration is this one: 1. CAS Server into VM 2. Java Cas Client webapp1 into other VM; 3. Java Cas Client webapp2 into other VM; 4. ... 5. Java Cas Client webappN into other VM. I launch webapp1 and I are redirect to login Cas Server, authentication and attributes are send back to webapp1 correctly. If I acces to webapp2..N I am logging right with the same user. Now if user click logout into one of webapp1...N I want to redirect to login page of webapp1...N and that user can't access to sso without do login. How to do this? Thanks Gianluca Il giorno venerdì 15 maggio 2015 16:32:32 UTC+2, Misagh Moayyed ha scritto: Here is an example on how to configure the SAML authn and validation filters in your app: https://github.com/UniconLabs/cas-sample-java-webapp/blob/master/src/main/webapp/WEB-INF/web.xml From: Misagh Moayyed [mailto:[email protected] <javascript:> ] Sent: Friday, May 15, 2015 7:29 AM To: [email protected] <javascript:> Subject: Re: [cas-user] Empty Attribute Map If your app is protected by the Java CAS client, you have a number of options: 1. Use SAML validation and authentication filters, or 2. Modify the CAS server's validation jsp to return attributes, or 3. Use the validator in CAS client 3.4.0 (for which you will need to download the client code, build the jar and include it in the app for now) that allows you to point to /p3/serviceValidate #1 would probably be the easiest to configure for now. _____ From: "Gianluca Diodato" <[email protected] <javascript:> > To: [email protected] <javascript:> Cc: [email protected] <javascript:> , [email protected] <javascript:> Sent: Friday, May 15, 2015 5:57:08 AM Subject: Re: [cas-user] Empty Attribute Map Ok, I understand now in effect into ticketExpirationPolicies.xml I can read 1 time use of ticket. So, what is the right choice to do in order to retrieve my own attributes for my service after login from my client java webapp? thanks Gianluca Il giorno venerdì 15 maggio 2015 14:47:07 UTC+2, Misagh Moayyed ha scritto: Because you are validating the same ticket id twice. Your java webapp receives ST-4 and validates it. When a ST is validated, it is expired and thus removed. Then, you attempt to execute the same operation in your browser, which causes validation to fail. STs can be only be used once, unless you change the expiration policy for STs. From: Gianluca Diodato [mailto:[email protected]] Sent: Friday, May 15, 2015 5:44 AM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Empty Attribute Map Hi Misagh, why you said I have 2 requests to validate the same ticket?? I don't understand... In the log that I posted there are a SERVICE_TICKET_VALIDATED (after login from my java webapp client side) and a SERVICE_TICKET_VALIDATE_FAILED (from my browser client side when I tried to access this url https://cas_server/cas/p3/serviceValidate?ticket=ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://st-4-yagp66sconktxo1v5zct-cassso.smartcampus.org/> &service=http://localhost:8080/Campus/mainpage.jsp <http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2FCampus%2Fmainpage.jsp&sa=D&sntz=1&usg=AFQjCNGR0ce21s5VKuT8uLduzW-gGTU7kg> ). What Wrong? Gianluca Il giorno venerdì 15 maggio 2015 14:03:41 UTC+2, Misagh Moayyed ha scritto: Your CAS client is attempting to resuse a service ticket, or it’s submitting the same request twice. It validates ST-4 and about a minute later it attempts to validate it again. That won’t work. Monitor traffic and see why you have two requests to validate the same ticket. From: Gianluca Diodato [mailto:[email protected]] Sent: Friday, May 15, 2015 4:44 AM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [cas-user] Empty Attribute Map Hi Misagh, This is my last test with deployerConfigContext.xml file. Anyway I don't access to any serviceValidate page (Cas2,Cas3,Saml). When I'm trying to acces I have always this answer: 2015-05-15 13:18:23,465 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.> 2015-05-15 13:18:23,465 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:18:23,465 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/SmartMobility/.*> 2015-05-15 13:18:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2 services.> 2015-05-15 13:19:31,657 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ]> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ] found in registry.> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.services.support.RegisteredServiceDefaultAttributeFilter] - <Found attribute [first_name] in the list of allowed attributes for service [Test CAS]> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return for service [Test CAS] is [[email protected]]. The default principal id is [[email protected]].> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ] from registry> 2015-05-15 13:19:31,658 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ]> 2015-05-15 13:19:31,658 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Fri May 15 13:19:31 CEST 2015 CLIENT IP ADDRESS: 146.48.89.203 SERVER IP ADDRESS: 146.48.89.135 ============================================================= > 2015-05-15 13:19:31,659 DEBUG [org.jasig.cas.web.ServiceValidateController] - <Successfully validated service ticket ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> for service [http://localhost:8080/Campus/mainpage.jsp]> 2015-05-15 13:20:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.> 2015-05-15 13:20:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:20:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/SmartMobility/.*> 2015-05-15 13:20:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2 services.> 2015-05-15 13:22:23,465 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.> 2015-05-15 13:22:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:22:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/SmartMobility/.*> 2015-05-15 13:22:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2 services.> 2015-05-15 13:24:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.> 2015-05-15 13:24:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:24:23,466 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service http://localhost:8080/SmartMobility/.*> 2015-05-15 13:24:23,466 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 2 services.> 2015-05-15 13:25:08,452 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://localhost:8080/Campus/mainpage.jsp> 2015-05-15 13:25:08,452 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ]> 2015-05-15 13:25:08,453 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ] does not exist.> 2015-05-15 13:25:08,453 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to retrieve ticket [ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ]> 2015-05-15 13:25:08,453 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org <http://ST-4-yaGp66SconKtxo1v5ZCt-cassso.smartcampus.org> ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Fri May 15 13:25:08 CEST 2015 CLIENT IP ADDRESS: 146.48.89.203 SERVER IP ADDRESS: 146.48.89.135 ============================================================= > 2015-05-15 13:25:08,453 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages_en] - neither plain properties nor XML> 2015-05-15 13:25:08,454 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:custom_messages] - neither plain properties nor XML> 2015-05-15 13:25:08,454 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - <No properties file found for [classpath:messages_en] - neither plain properties nor XML> 2015-05-15 13:25:08,454 DEBUG [org.jasig.cas.web.view.CasReloadableMessageBundle] - <Re-caching properties for filename [classpath:messages] - file hasn't been modified> I modified expiredtimeout of ticket from 10 seconds to 600 seconds in ticketExpirationPolicies.xml, but doesn't work. Best Gianluca Il giorno venerdì 15 maggio 2015 11:12:56 UTC+2, Misagh Moayyed ha scritto: Are you allowing attributes for release? Is your client talking to /p3/serviceValidate? From: Gianluca Diodato [mailto:[email protected]] Sent: Friday, May 15, 2015 1:41 AM To: [email protected] <mailto:[email protected]> Subject: Re:[cas-user] Empty Attribute Map Same problem with Java Cas Client but no answers yet from community.. I'm almost depressed. Gianluca Il giorno giovedì 14 maggio 2015 12:33:26 UTC+2, Luís Lobo ha scritto: Hi! I am using CAS Server version 4.0.1 and I am having trouble with the attributes. The problem is that in the client side (phpCAS) the attribute map is empty. The relevant parts in my deployerConfigContext.xml are: <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> <constructor-arg> <map> <entry key-ref="userAuthHandler" value-ref="principalResolver" /> </map> </constructor-arg> <property name="authenticationPolicy"> <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> </property> </bean> The principal resolver is declared as: <bean id="personAttributeDao" class="org.jasig.services.persondir.support.jdbc.SingleRowJdbcPersonAttributeDao"> <constructor-arg index="0" ref="dataSource" /> <constructor-arg index="1" value="${auth.resolverSql}" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="username" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="login" value="login" /> <entry key="client_id" value="client_id" /> </map> </property> </bean> <bean id="principalResolver" class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" p:principalAttributeName="username" p:attributeRepository-ref="personAttributeDao" p:returnNullIfNoAttributes="true" /> The relevant log line in the console is: ... -- You are currently subscribed to [email protected] <mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
