Hello,
I still haven't figured this out. I have upgraded to CAS Server 3.3 just in case that was an issue. The behavior is still the same. Here is my current environment: - cas-server-webapp 3.3 (unmodified) running on apache tomcat 5.5.25. I am using the default authenticator out of the box where username=password is a valid login. - My testcas.php (code pasted in my first message below) is using phpCAS 1.0.0 RC1 which I believe supports single sign out. This is running on apache. I'm using SSL with self-signed certificates on the tomcat and the apache both. The trust store that tomcat is using includes the certificate for the apache host. Signing in works great, I'm redirected as I should be, I sign in using the CAS login screen and I'm sent back to the PHP app. No problem. However, when I go directly to the /logout url for my CAS instance, I see nothing in the logs. The apache access logs show nothing and the stdout from CAS has no indication that I've even logged off. Here is what I see in the CAS stdout: When I log in: 2008-08-26 14:13:05,935 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthen ticationHandler successfully authenticated the user which provided the following credentials: [username: eric]> 2008-08-26 14:13:05,950 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-2-Fna5aTPXu2bgs2UUCiFZ-cas] for service [http://mymachine/testcas.php] for user [eric]> Then, when I visit http://mymachine:8080/cas/logout I get no additional log messages. Is this normal? I'm at a loss here and I don't know what to try. I'm not even sure if I'm performing a valid test or not. Here are my questions as of now: 1 - Is there any configuration that must happen on the CAS server side to turn on single sign out? 2 - When I visit the /logout url of my CAS service, should I at least see a log message indicating that I logged out? I can't tell if the CAS service even thinks it is attempting to send sign out requests to my php app or not, since I'm not seeing any logs on the server side to indicate that it even knows I logged out. What should I be looking for? 3 - Generally, what has to happen for single sign out to work? Is it something that should happen automatically if the service and the client both support it? What happens if the client does not support it or is misconfigured? Should it still get the sign out request from the service but it just would not understand this request? 4 - Does the client have to make any special request from the server at sign in time to enable the sign out? Or does this happen automatically if the server supports single sign out? I've never seen Single Sign Out work, but it is important to my project and I would like to get it working. What information can I provide to make this easier to diagnose? Again, I'm not even sure if I'm performing a valid test or not. I am also willing to try this with some other simple client if someone could point me to some instructions. I will eventually need to get the PHP stuff working but if it would help to narrow down where my problem is I can try with some other kind of test application. Thanks, Eric ________________________________ From: Wyles, Eric Sent: Monday, August 18, 2008 8:47 AM To: 'Yale CAS mailing list' Subject: RE: [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out questions... Here is what I see in my apache ssl request log where I have the php page running: When I initially hit the page and get redirected to CAS and log in, I see this: [18/Aug/2008:08:39:43 -0500] <ip address snipped> TLSv1 DHE-RSA-AES256-SHA "GET /testcas.php HTTP/1.1" 491 [18/Aug/2008:08:39:54 -0500] <ip address snipped>TLSv1 DHE-RSA-AES256-SHA "GET /testcas.php?ticket=ST-1-axloMMkDVDCKEmcS5pGo-cas HTTP/1.1" 148 [18/Aug/2008:08:39:56 -0500] <ip address snipped>TLSv1 DHE-RSA-AES256-SHA "GET /favicon.ico HTTP/1.1" 30894 But then, after I manually type in the url to my CAS /logout page, I don't get any other messages in the apache request logs for my php page. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Monday, August 18, 2008 8:21 AM To: Yale CAS mailing list Subject: [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out questions... On Mon, Aug 18, 2008 at 8:33 AM, Wyles, Eric <[EMAIL PROTECTED]> wrote: Scott, Do you know if this is the correct version of phpCAS? Do I have to do some special configuration to get Single Sign Out to be enabled or should it "just work" so to speak? I'm not familiar with phpCAS. Maybe Pascal can respond. I am not seeing anything in my apache access log to indicate that my phpCAS page is even receiving a logout request after I visit the /logout page on the CAS server. It would look like a request to the service url with the ticket id attached. Its not going to be a special url. -Scott ________________________________ From: Wyles, Eric Sent: Friday, August 15, 2008 3:11 PM To: 'Yale CAS mailing list' Subject: Re: CAS Server 3.2.1 - Single Sign Out questions... I am using the 1.0.0 version from here: http://www.ja-sig.org/downloads/cas-clients/php/1.0.0/CAS-1.0.0.tgz <http://www.ja-sig.org/downloads/cas-clients/php/1.0.0/CAS-1.0.0.tgz> I admit, I had a hard time figuring out if it was the version that supported Single Sign Out or not. I'm not sure what to look for in the code, I can see functions related to processing logout requests but I'm not sure if that is related to Single Sign Out or just the local sign out from the php session. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Battaglia Sent: Friday, August 15, 2008 2:49 PM To: Yale CAS mailing list Subject: [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out questions... Are you using the phpCAS version that supports Single Sign Out? -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Fri, Aug 15, 2008 at 3:37 PM, Wyles, Eric <[EMAIL PROTECTED]> wrote: I think it was probably bad timing that I originally posted this just before the 3.3 version was released. I think everyone has been (understandably) busy with that. If anyone has any ideas about what I'm doing wrong below, I would appreciate the help. Thanks ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyles, Eric Sent: Wednesday, August 13, 2008 12:13 PM To: [email protected] Subject: CAS Server 3.2.1 - Single Sign Out questions... Hello, I have installed cas server 3.2.1. I am running the cas-server-webapp application on Tomcat 5.5. The only change I have made is to enable a FastBindLdapAuthenticator, otherwise, the cas-server-webapp is just how it came out of the box. I'm trying to test Single Sign Out. Here is what I'm doing: I have a simple PHP page running under apache using phpCAS. That is on https://mymachine/testcas.php. It works great for signing in. I can hit https://mymachine/testcas.php and then I'm redirected to my CAS login page at https://mymachine:8443/cas/login. After I enter my credentials, I'm sent back to my PHP page and it now knows who I am. My next step was to test single sign out functionality. I don't know if I need to configure something to support this or if I have a poor test case or what the deal is exactly. Here are my steps: 1 - Go to https://mymachine/testcas.php 2 - I am redirected to https://mymachine:8443/cas/login where I enter my credentials 3 - I am then redirected back to https://mymachine/testcas.php (with ticket information) and my testcas.php uses the ticket to figure out who I am. 4 - I then manually go to https://mymachine:8443/cas/logout and I see the CAS "logout successful" message 5 - Then, I manually go back to https://mymachine/testcas.php and it still considers me to be logged in. Also, I don't see anything in my apache access logs to indicate that the CAS server posted a sign out request to my testcas.php page. Is this a good test? Is there something I need to configure to enable single sign out? I am pasting my testcas.php code below. Any advise would be appreciated. Thanks, Eric <?php include_once('CAS.php'); phpCAS::setDebug(); phpCAS::client(CAS_VERSION_2_0,'mymachine',8443,'cas'); phpCAS::setNoCasServerValidation(); phpCAS::forceAuthentication(); if (isset($_REQUEST['logout'])) { phpCAS::logout(); } ?> <html> <head> </head> <body> <div id="page"> <?php echo phpCAS::getUser(); ?> logged in. </div> </body> </html> Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
