If you go to http logout doesn't even have access to the cookie (unless you've changed the configuration to say unsecure)
-Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Tue, Aug 26, 2008 at 3:25 PM, Wyles, Eric <[EMAIL PROTECTED]> wrote: > Hello, > > > > I still haven't figured this out. I have upgraded to CAS Server 3.3 just in > case that was an issue. The behavior is still the same. > > > > Here is my current environment: > > > > - cas-server-webapp 3.3 (unmodified) running on apache tomcat > 5.5.25. I am using the default authenticator out of the box where > username=password is a valid login. > > - My testcas.php (code pasted in my first message below) is using > phpCAS 1.0.0 RC1 which I believe supports single sign out. This is running > on apache. > > > > I'm using SSL with self-signed certificates on the tomcat and the apache > both. The trust store that tomcat is using includes the certificate for the > apache host. > > > > Signing in works great, I'm redirected as I should be, I sign in using the > CAS login screen and I'm sent back to the PHP app. No problem. > > > > However, when I go directly to the /logout url for my CAS instance, I see > nothing in the logs. The apache access logs show nothing and the stdout from > CAS has no indication that I've even logged off. Here is what I see in the > CAS stdout: > > > > When I log in: > > > > 2008-08-26 14:13:05,935 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler > successfully authenticated the user which provided the following > credentials: [username: eric]> > > > > 2008-08-26 14:13:05,950 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-2-Fna5aTPXu2bgs2UUCiFZ-cas] for service [http://mymachine/testcas.php] > for user [eric]> > > > > Then, when I visit http://mymachine:8080/cas/logout I get no additional > log messages. Is this normal? > > > > > > I'm at a loss here and I don't know what to try. I'm not even sure if I'm > performing a valid test or not. > > > > > > Here are my questions as of now: > > 1 – Is there any configuration that must happen on the CAS server side to > turn on single sign out? > > > > 2 – When I visit the /logout url of my CAS service, should I at least see a > log message indicating that I logged out? I can't tell if the CAS service > even thinks it is attempting to send sign out requests to my php app or not, > since I'm not seeing any logs on the server side to indicate that it even > knows I logged out. What should I be looking for? > > > > 3 – Generally, what has to happen for single sign out to work? Is it > something that should happen automatically if the service and the client > both support it? What happens if the client does not support it or is > misconfigured? Should it still get the sign out request from the service but > it just would not understand this request? > > > > 4 – Does the client have to make any special request from the server at > sign in time to enable the sign out? Or does this happen automatically if > the server supports single sign out? > > > > > > I've never seen Single Sign Out work, but it is important to my project and > I would like to get it working. What information can I provide to make this > easier to diagnose? > > > > Again, I'm not even sure if I'm performing a valid test or not. > > > > I am also willing to try this with some other simple client if someone > could point me to some instructions. I will eventually need to get the PHP > stuff working but if it would help to narrow down where my problem is I can > try with some other kind of test application. > > > > > > Thanks, > > Eric > > > > > ------------------------------ > > *From:* Wyles, Eric > *Sent:* Monday, August 18, 2008 8:47 AM > *To:* 'Yale CAS mailing list' > *Subject:* RE: [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out > questions... > > > > Here is what I see in my apache ssl request log where I have the php page > running: > > > > > > When I initially hit the page and get redirected to CAS and log in, I see > this: > > > > [18/Aug/2008:08:39:43 -0500] <ip address snipped> TLSv1 DHE-RSA-AES256-SHA > "GET /testcas.php HTTP/1.1" 491 > > [18/Aug/2008:08:39:54 -0500] <ip address snipped>TLSv1 DHE-RSA-AES256-SHA > "GET /testcas.php?ticket=ST-1-axloMMkDVDCKEmcS5pGo-cas HTTP/1.1" 148 > > [18/Aug/2008:08:39:56 -0500] <ip address snipped>TLSv1 DHE-RSA-AES256-SHA > "GET /favicon.ico HTTP/1.1" 30894 > > > > > > But then, after I manually type in the url to my CAS /logout page, I don't > get any other messages in the apache request logs for my php page. > > > > > > > ------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Monday, August 18, 2008 8:21 AM > *To:* Yale CAS mailing list > *Subject:* [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out > questions... > > > > On Mon, Aug 18, 2008 at 8:33 AM, Wyles, Eric <[EMAIL PROTECTED]> wrote: > > Scott, > > > > Do you know if this is the correct version of phpCAS? Do I have to do some > special configuration to get Single Sign Out to be enabled or should it > "just work" so to speak? > > I'm not familiar with phpCAS. Maybe Pascal can respond. > > > > I am not seeing anything in my apache access log to indicate that my phpCAS > page is even receiving a logout request after I visit the /logout page on > the CAS server. > > It would look like a request to the service url with the ticket id > attached. Its not going to be a special url. > > -Scott > > > > > ------------------------------ > > *From:* Wyles, Eric > *Sent:* Friday, August 15, 2008 3:11 PM > > > *To:* 'Yale CAS mailing list' > > *Subject:* Re: CAS Server 3.2.1 - Single Sign Out questions... > > > > I am using the 1.0.0 version from here: > http://www.ja-sig.org/downloads/cas-clients/php/1.0.0/CAS-1.0.0.tgz > > > > I admit, I had a hard time figuring out if it was the version that > supported Single Sign Out or not. > > > > I'm not sure what to look for in the code, I can see functions related to > processing logout requests but I'm not sure if that is related to Single > Sign Out or just the local sign out from the php session. > > > > > ------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Scott Battaglia > *Sent:* Friday, August 15, 2008 2:49 PM > *To:* Yale CAS mailing list > *Subject:* [LIKELY_SPAM]Re: CAS Server 3.2.1 - Single Sign Out > questions... > > > > Are you using the phpCAS version that supports Single Sign Out? > > -Scott > > -Scott Battaglia > PGP Public Key Id: 0x383733AA > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > On Fri, Aug 15, 2008 at 3:37 PM, Wyles, Eric <[EMAIL PROTECTED]> wrote: > > I think it was probably bad timing that I originally posted this just > before the 3.3 version was released. I think everyone has been > (understandably) busy with that. > > > > If anyone has any ideas about what I'm doing wrong below, I would > appreciate the help. > > > > Thanks > > > ------------------------------ > > *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On > Behalf Of *Wyles, Eric > *Sent:* Wednesday, August 13, 2008 12:13 PM > *To:* [email protected] > *Subject:* CAS Server 3.2.1 - Single Sign Out questions... > > > > Hello, > > > > I have installed cas server 3.2.1. I am running the cas-server-webapp > application on Tomcat 5.5. The only change I have made is to enable a > FastBindLdapAuthenticator, otherwise, the cas-server-webapp is just how it > came out of the box. > > > > I'm trying to test Single Sign Out. Here is what I'm doing: > > > > I have a simple PHP page running under apache using phpCAS. That is on > https://mymachine/testcas.php. It works great for signing in. I can hit > https://mymachine/testcas.php and then I'm redirected to my CAS login page > at https://mymachine:8443/cas/login. After I enter my credentials, I'm > sent back to my PHP page and it now knows who I am. > > > > My next step was to test single sign out functionality. I don't know if I > need to configure something to support this or if I have a poor test case or > what the deal is exactly. Here are my steps: > > > > 1 – Go to https://mymachine/testcas.php > > 2 – I am redirected to https://mymachine:8443/cas/login where I enter my > credentials > > 3 – I am then redirected back to https://mymachine/testcas.php (with > ticket information) and my testcas.php uses the ticket to figure out who I > am. > > 4 – I then manually go to https://mymachine:8443/cas/logout and I see the > CAS "logout successful" message > > 5 – Then, I manually go back to https://mymachine/testcas.php and it still > considers me to be logged in. > > > > Also, I don't see anything in my apache access logs to indicate that the > CAS server posted a sign out request to my testcas.php page. > > > > Is this a good test? > > > > Is there something I need to configure to enable single sign out? > > > > I am pasting my testcas.php code below. Any advise would be appreciated. > > > > Thanks, > > Eric > > > > > > <?php > > > > include_once('CAS.php'); > > > > phpCAS::setDebug(); > > phpCAS::client(CAS_VERSION_2_0,'mymachine',8443,'cas'); > > phpCAS::setNoCasServerValidation(); > > phpCAS::forceAuthentication(); > > if (isset($_REQUEST['logout'])) { > > phpCAS::logout(); > > } > > ?> > > > > <html> > > <head> > > </head> > > <body> > > <div id="page"> > > <?php echo phpCAS::getUser(); ?> logged in. > > </div> > > </body> > > </html> > > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > > > Confidentiality Notice: This e-mail message, including any attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
