Re: [cas-user] Re: CAS OKTA integration

[Jérôme LELEU]

Hi,

If you use the SAML authentication delegation to Okta, there is a
SAML2ClientLogoutAction component which should retrieve the user profile
and send a logout request to Okta when you trigger a CAS logout (
https://github.com/apereo/cas/blob/5.1.x/support/cas-server-support-pac4j-core-clients/src/main/java/org/apereo/cas/support/pac4j/web/flow/SAML2ClientLogoutAction.java
).
This may not work for a cluster. Turn on DEBUG logs on this component to
see what happens.
Thanks.
Best regards,
Jérôme


Le ven. 20 déc. 2019 à 09:50, Filip Majernik  a
écrit :

> I am using CAS 5.1.1 which comes with pac4j 2.0.0
>
> On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote:
>>
>> Hi,
>>
>> Which version of CAS (and pac4j) do you use? Do you have one or more CAS
>> servers?
>> Thanks.
>> Best regards,
>> Jérôme
>>
>> Le jeu. 19 déc. 2019 à 17:28, Filip Majernik  a
>> écrit :
>>
>>> Hi Sarika,
>>> I am facing the same issue. The SAML logout request to Okta does not
>>> work. After debugging I have found out that in pac4j's implementation in
>>> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the
>>> context, hence no sessionIndex as nameId is added to the request. This
>>> UserProfile should be created and kept in session after the user has
>>> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J
>>> documentation I assume, that there is no CallbackFilter in CAS initialized
>>> which would store the UserProfile in the session, but I cannot confirm this.
>>>
>>> Does anybody know how to make this work?
>>>
>>> Thanks,
>>> Filip
>>>
>>>
>>> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:

 Hi,

 Is there any update on this issue?

 Thanks in advance.


 On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>
> Hi Ganesh,
>
> Sorry for the late reply.
> I have checked logs as well, it seems like CAS is not connecting with
> OKTA at the time of logout.
>
> log details:
> 2018-09-04 17:29:21,173 DEBUG
> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
> - https://.*,
> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null,
> responseType=null, id=1001, description=This service definition
> authorizes all application urls that support HTTPS and IMAPS protocols.,
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
> notifyWhenDeleted=false, expirationDate=null),
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
> evaluationOrder=1,
> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
> logoutType=BACK_CHANNEL, requiredHandlers=[],
> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
> excludedAttributes=null, includeOnlyAttributes=null),
> authorizedToReleaseCredentialPassword=false,
> authorizedToReleaseProxyGrantingTicket=false,
> excludeDefaultAttributes=false,
> authorizedToReleaseAuthenticationAttributes=true,
> principalIdAttribute=null), allowedAttributes=[]),
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
> failureMode=NOT_SET, principalAttributeNameTrigger=null,
> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
> logoutUrl=https://localhost:8443/cas/logout,
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is 
> not
> a SAML service, or its logout url could not be determined>
> 2018-09-04 17:29:21,173 DEBUG
> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] -
> https://localhost:8443/cas/logout]
> for service [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check,
> artifactId=null, principal=us...@company.com, source=service,
> loggedOutAlready=false, format=XML, attributes={})]>
> 2018-09-04 17:29:21,174 DEBUG
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
> https://localhost:8443/cas/logout]] for
> service [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> 

Re: [cas-user] Re: CAS OKTA integration

[Filip Majernik]

I am using CAS 5.1.1 which comes with pac4j 2.0.0

On Friday, December 20, 2019 at 8:34:55 AM UTC+1, leleuj wrote:
>
> Hi,
>
> Which version of CAS (and pac4j) do you use? Do you have one or more CAS 
> servers?
> Thanks.
> Best regards,
> Jérôme
>
> Le jeu. 19 déc. 2019 à 17:28, Filip Majernik  > a écrit :
>
>> Hi Sarika,
>> I am facing the same issue. The SAML logout request to Okta does not 
>> work. After debugging I have found out that in pac4j's implementation in 
>> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the 
>> context, hence no sessionIndex as nameId is added to the request. This 
>> UserProfile should be created and kept in session after the user has 
>> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J 
>> documentation I assume, that there is no CallbackFilter in CAS initialized 
>> which would store the UserProfile in the session, but I cannot confirm this.
>>
>> Does anybody know how to make this work?
>>
>> Thanks,
>> Filip
>>
>>
>> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:
>>>
>>> Hi,
>>>
>>> Is there any update on this issue?
>>>
>>> Thanks in advance.
>>>
>>>
>>> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:

 Hi Ganesh,

 Sorry for the late reply.
 I have checked logs as well, it seems like CAS is not connecting with 
 OKTA at the time of logout.

 log details:
 2018-09-04 17:29:21,173 DEBUG 
 [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
  
 - https://.*, name=HTTPS, 
 theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
 id=1001, description=This service definition authorizes all 
 application 
 urls that support HTTPS and IMAPS protocols., 
 expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
  
 notifyWhenDeleted=false, expirationDate=null), 
 proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
 evaluationOrder=1, 
 usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
  
 logoutType=BACK_CHANNEL, requiredHandlers=[], 
 attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
  
 principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
 consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
 excludedAttributes=null, includeOnlyAttributes=null), 
 authorizedToReleaseCredentialPassword=false, 
 authorizedToReleaseProxyGrantingTicket=false, 
 excludeDefaultAttributes=false, 
 authorizedToReleaseAuthenticationAttributes=true, 
 principalIdAttribute=null), allowedAttributes=[]), 
 multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
  
 failureMode=NOT_SET, principalAttributeNameTrigger=null, 
 principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, 
 logoutUrl=https://localhost:8443/cas/logout, 
 accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
 enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
 delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
  
 requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, 
 caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is 
 not 
 a SAML service, or its logout url could not be determined>
 2018-09-04 17:29:21,173 DEBUG 
 [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - 
 https://localhost:8443/cas/logout] 
 for service [AbstractWebApplicationService(id=
 https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
 https://localhost:8443/vcm/j_spring_cas_security_check, 
 artifactId=null, principal=us...@company.com, source=service, 
 loggedOutAlready=false, format=XML, attributes={})]>
 2018-09-04 17:29:21,174 DEBUG 
 [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
 https://localhost:8443/cas/logout]] for service 
 [AbstractWebApplicationService(id=
 https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
 https://localhost:8443/vcm/j_spring_cas_security_check, 
 artifactId=null, principal=us...@company.com, source=service, 
 loggedOutAlready=false, format=XML, attributes={})]>
 2018-09-04 17:29:21,174 DEBUG 
 [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
 >>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
 https://localhost:8443/vcm/j_spring_cas_security_check, 
 artifactId=null, principal=us...@company.com, source=service, 
 loggedOutAlready=false, format=XML, attributes={})] and ticket id 
 

Re: [cas-user] Re: CAS OKTA integration

[Jérôme LELEU]

Hi,

Which version of CAS (and pac4j) do you use? Do you have one or more CAS
servers?
Thanks.
Best regards,
Jérôme

Le jeu. 19 déc. 2019 à 17:28, Filip Majernik  a
écrit :

> Hi Sarika,
> I am facing the same issue. The SAML logout request to Okta does not work.
> After debugging I have found out that in pac4j's implementation in
> SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the
> context, hence no sessionIndex as nameId is added to the request. This
> UserProfile should be created and kept in session after the user has
> successfully authenticated in the IdP, but it isn't. Looking at the Pac4J
> documentation I assume, that there is no CallbackFilter in CAS initialized
> which would store the UserProfile in the session, but I cannot confirm this.
>
> Does anybody know how to make this work?
>
> Thanks,
> Filip
>
>
> On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:
>>
>> Hi,
>>
>> Is there any update on this issue?
>>
>> Thanks in advance.
>>
>>
>> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>>>
>>> Hi Ganesh,
>>>
>>> Sorry for the late reply.
>>> I have checked logs as well, it seems like CAS is not connecting with
>>> OKTA at the time of logout.
>>>
>>> log details:
>>> 2018-09-04 17:29:21,173 DEBUG
>>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>>> - https://.*,
>>> name=HTTPS, theme=null, informationUrl=null, privacyUrl=null,
>>> responseType=null, id=1001, description=This service definition
>>> authorizes all application urls that support HTTPS and IMAPS protocols.,
>>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>> notifyWhenDeleted=false, expirationDate=null),
>>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1,
>>> evaluationOrder=1,
>>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>>> logoutType=BACK_CHANNEL, requiredHandlers=[],
>>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>> principalAttributesRepository=DefaultPrincipalAttributesRepository(),
>>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true,
>>> excludedAttributes=null, includeOnlyAttributes=null),
>>> authorizedToReleaseCredentialPassword=false,
>>> authorizedToReleaseProxyGrantingTicket=false,
>>> excludeDefaultAttributes=false,
>>> authorizedToReleaseAuthenticationAttributes=true,
>>> principalIdAttribute=null), allowedAttributes=[]),
>>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>> failureMode=NOT_SET, principalAttributeNameTrigger=null,
>>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null,
>>> logoutUrl=https://localhost:8443/cas/logout,
>>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0,
>>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null,
>>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
>>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={},
>>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not
>>> a SAML service, or its logout url could not be determined>
>>> 2018-09-04 17:29:21,173 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] -
>>> https://localhost:8443/cas/logout] for
>>> service [AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})]>
>>> 2018-09-04 17:29:21,174 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>>> https://localhost:8443/cas/logout]] for service
>>> [AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})]>
>>> 2018-09-04 17:29:21,174 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -
>>> >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>>> https://localhost:8443/vcm/j_spring_cas_security_check,
>>> artifactId=null, principal=us...@company.com, source=service,
>>> loggedOutAlready=false, format=XML, attributes={})] and ticket id
>>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
>>> 2018-09-04 17:29:21,401 DEBUG
>>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> request
>>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12,
>>> service=AbstractWebApplicationService(id=
>>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=

[cas-user] Re: CAS OKTA integration

[Filip Majernik]

Hi Sarika,
I am facing the same issue. The SAML logout request to Okta does not work. 
After debugging I have found out that in pac4j's implementation in 
SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the 
context, hence no sessionIndex as nameId is added to the request. This 
UserProfile should be created and kept in session after the user has 
successfully authenticated in the IdP, but it isn't. Looking at the Pac4J 
documentation I assume, that there is no CallbackFilter in CAS initialized 
which would store the UserProfile in the session, but I cannot confirm this.

Does anybody know how to make this work?

Thanks,
Filip


On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote:
>
> Hi,
>
> Is there any update on this issue?
>
> Thanks in advance.
>
>
> On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>>
>> Hi Ganesh,
>>
>> Sorry for the late reply.
>> I have checked logs as well, it seems like CAS is not connecting with 
>> OKTA at the time of logout.
>>
>> log details:
>> 2018-09-04 17:29:21,173 DEBUG 
>> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>>  
>> - https://.*, name=HTTPS, 
>> theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
>> id=1001, description=This service definition authorizes all application 
>> urls that support HTTPS and IMAPS protocols., 
>> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>>  
>> notifyWhenDeleted=false, expirationDate=null), 
>> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
>> evaluationOrder=1, 
>> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>>  
>> logoutType=BACK_CHANNEL, requiredHandlers=[], 
>> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>>  
>> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
>> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
>> excludedAttributes=null, includeOnlyAttributes=null), 
>> authorizedToReleaseCredentialPassword=false, 
>> authorizedToReleaseProxyGrantingTicket=false, 
>> excludeDefaultAttributes=false, 
>> authorizedToReleaseAuthenticationAttributes=true, 
>> principalIdAttribute=null), allowedAttributes=[]), 
>> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>>  
>> failureMode=NOT_SET, principalAttributeNameTrigger=null, 
>> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, 
>> logoutUrl=https://localhost:8443/cas/logout, 
>> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
>> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
>> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
>>  
>> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, 
>> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not 
>> a SAML service, or its logout url could not be determined>
>> 2018-09-04 17:29:21,173 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - 
>> https://localhost:8443/cas/logout] for 
>> service [AbstractWebApplicationService(id=
>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
>> principal=us...@company.com , source=service, 
>> loggedOutAlready=false, format=XML, attributes={})]>
>> 2018-09-04 17:29:21,174 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>> https://localhost:8443/cas/logout]] for service 
>> [AbstractWebApplicationService(id=
>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
>> principal=us...@company.com , source=service, 
>> loggedOutAlready=false, format=XML, attributes={})]>
>> 2018-09-04 17:29:21,174 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>> > https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
>> principal=us...@company.com , source=service, 
>> loggedOutAlready=false, format=XML, attributes={})] and ticket id 
>> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
>> 2018-09-04 17:29:21,401 DEBUG 
>> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - > request 
>> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, 
>> service=AbstractWebApplicationService(id=
>> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
>> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
>> principal=us...@company.com , source=service, 
>> loggedOutAlready=false, format=XML, attributes={}), 

[cas-user] Re: CAS OKTA integration

[sarika deshmukh]

Hi,

Is there any update on this issue?

Thanks in advance.


On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote:
>
> Hi Ganesh,
>
> Sorry for the late reply.
> I have checked logs as well, it seems like CAS is not connecting with OKTA 
> at the time of logout.
>
> log details:
> 2018-09-04 17:29:21,173 DEBUG 
> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder]
>  
> - https://.*, name=HTTPS, 
> theme=null, informationUrl=null, privacyUrl=null, responseType=null, 
> id=1001, description=This service definition authorizes all application 
> urls that support HTTPS and IMAPS protocols., 
> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false,
>  
> notifyWhenDeleted=false, expirationDate=null), 
> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, 
> evaluationOrder=1, 
> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2,
>  
> logoutType=BACK_CHANNEL, requiredHandlers=[], 
> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null,
>  
> principalAttributesRepository=DefaultPrincipalAttributesRepository(), 
> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, 
> excludedAttributes=null, includeOnlyAttributes=null), 
> authorizedToReleaseCredentialPassword=false, 
> authorizedToReleaseProxyGrantingTicket=false, 
> excludeDefaultAttributes=false, 
> authorizedToReleaseAuthenticationAttributes=true, 
> principalIdAttribute=null), allowedAttributes=[]), 
> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[],
>  
> failureMode=NOT_SET, principalAttributeNameTrigger=null, 
> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, 
> logoutUrl=https://localhost:8443/cas/logout, 
> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, 
> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, 
> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]),
>  
> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, 
> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not 
> a SAML service, or its logout url could not be determined>
> 2018-09-04 17:29:21,173 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - 
> https://localhost:8443/cas/logout] for 
> service [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={})]>
> 2018-09-04 17:29:21,174 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
> https://localhost:8443/cas/logout]] for service 
> [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={})]>
> 2018-09-04 17:29:21,174 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - 
>  https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={})] and ticket id 
> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
> 2018-09-04 17:29:21,401 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -  request 
> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, 
> service=AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={}), status=NOT_ATTEMPTED, logoutUrl=
> https://localhost:8443/cas/logout)] created for 
> [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={})] and ticket id 
> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]>
> 2018-09-04 17:29:21,401 DEBUG 
> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] -  type registered for [AbstractWebApplicationService(id=
> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl=
> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, 
> principal=u...@company.com, source=service, loggedOutAlready=false, 
> format=XML, attributes={})] is 

Re: [cas-user] Re: CAS OKTA integration

[Ganesh and Sashi Prasad]

When you click on a Logout link, it goes to

https://cas.mydomain.com/cas/logout?service=http://www.myapp.mydomain.com

The name of the application from where the logout was triggered is passed
as the value of the parameter "service".

If you had said

cas.logout.redirectParameter=ratatouille

Then the link will go to
https://cas.mydomain.com/cas/logout?ratatouille=http://www.myapp.mydomain.com

I'm not sure why it's not working. Have you looked at the logs?

Ganesh


On 13 August 2018 at 22:26, sarika deshmukh  wrote:

> Hi Ganesh,
>
> I have added those properties in cas.properties.But no luck.
>
>  what exactly that service stands for in this property below,
> cas.logout.redirectParameter =service
>
> Is there anything still missing?
>
>
> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:
>>
>> Hello everyone,
>>
>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this
>> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/
>> CAS properties file should contain such values: keystore path (that
>> contains OKTA signing certificate), keystore password and private key
>> password.
>> OKTA provides signing certificate, so I can create a keystore using it.
>> But OKTA does not provide private key for this certificate (or at least I
>> cannot find it). I cannot left this value empty, because I will receive an
>> exception during CAS startup.
>> Can anyone help me, how can I configure OKTA integration without private
>> key or where I can find it?
>>
>> Thanks
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e34c00f4-ec5b-44e3-84a0-
> 8789e288f918%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeopjBxREZwf0SZ1skmdxr5Maq9UHkc6cYxGh6aDcBE6y1Fw%40mail.gmail.com.

[cas-user] Re: CAS OKTA integration

[sarika deshmukh]

Hi Ganesh,

I have added those properties in cas.properties.But no luck.

 what exactly that service stands for in this property below,
cas.logout.redirectParameter =service 

Is there anything still missing? 


On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:
>
> Hello everyone,
>
> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this 
> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/
> CAS properties file should contain such values: keystore path (that 
> contains OKTA signing certificate), keystore password and private key 
> password.
> OKTA provides signing certificate, so I can create a keystore using it. 
> But OKTA does not provide private key for this certificate (or at least I 
> cannot find it). I cannot left this value empty, because I will receive an 
> exception during CAS startup.
> Can anyone help me, how can I configure OKTA integration without private 
> key or where I can find it?
>
> Thanks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e34c00f4-ec5b-44e3-84a0-8789e288f918%40apereo.org.

Re: [cas-user] Re: CAS OKTA integration

[Ganesh and Sashi Prasad]

Have you got these entries in your properties file?

cas.logout.followServiceRedirects=true
cas.logout.redirectParameter=service
# cas.logout.confirmLogout=false
# cas.logout.removeDescendantTickets=false

The first two are particularly important.

I'm assuming that your application has a logout button that is linked to
the CAS logout page. These settings above will cascade the logout to Okta
and therefore to all other applications depending on Okta as the Identity
Provider (IdP).

Regards,
Ganesh


On 13 August 2018 at 16:27, sarika deshmukh  wrote:

> Hello everyone,
>
> I am working on OKTA Logout and facing some issues while implementing it.
>
> I have added signout parameters in OKTA account as below:
>
> Single Logout URL: https://localhost:8443/cas/logout
> SP issuer: urn:herb:saml:pac4j.org
>
> and also got Signature Certificate from OKTA and added it.
> but still, OKTA account is not properly logged out from the application.
>
>
> Do we need to add the service registry for Logout so that CAS will be able
> to connect with OKTA for logout?
> Is there anything missing from my side?
>
> Thanks,
> Sarika D.
>
> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:
>>
>> Hello everyone,
>>
>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this
>> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/
>> CAS properties file should contain such values: keystore path (that
>> contains OKTA signing certificate), keystore password and private key
>> password.
>> OKTA provides signing certificate, so I can create a keystore using it.
>> But OKTA does not provide private key for this certificate (or at least I
>> cannot find it). I cannot left this value empty, because I will receive an
>> exception during CAS startup.
>> Can anyone help me, how can I configure OKTA integration without private
>> key or where I can find it?
>>
>> Thanks
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/
> apereo.org/d/msgid/cas-user/e44064f5-6069-4b99-82d3-
> f1b9248625be%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOEeophbFEsjcRRrTwo-ZdofUnV7RgZagHcJBPmopNRvfObqMQ%40mail.gmail.com.

[cas-user] Re: CAS OKTA integration

[sarika deshmukh]

Hello everyone,

I am working on OKTA Logout and facing some issues while implementing it.

I have added signout parameters in OKTA account as below:

Single Logout URL: https://localhost:8443/cas/logout
SP issuer: urn:herb:saml:pac4j.org

and also got Signature Certificate from OKTA and added it.
but still, OKTA account is not properly logged out from the application.


Do we need to add the service registry for Logout so that CAS will be able 
to connect with OKTA for logout?
Is there anything missing from my side?

Thanks,
Sarika D.

On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote:
>
> Hello everyone,
>
> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this 
> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/
> CAS properties file should contain such values: keystore path (that 
> contains OKTA signing certificate), keystore password and private key 
> password.
> OKTA provides signing certificate, so I can create a keystore using it. 
> But OKTA does not provide private key for this certificate (or at least I 
> cannot find it). I cannot left this value empty, because I will receive an 
> exception during CAS startup.
> Can anyone help me, how can I configure OKTA integration without private 
> key or where I can find it?
>
> Thanks
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e44064f5-6069-4b99-82d3-f1b9248625be%40apereo.org.