2

I am beginner in using CAS and i'm using it in one of my project to use its Single Sign On services. Till now i have implemented Single sign on, I have one JAVA client and a PHP Client. But for using Single Sign Out functionality i configured my running CAS according to CAS documentation. I have done all the changes in the deployerConfigContext.xml of my working CAS. My CAS is up running, but on logging out it doesn't show any SAML logout request. I'm using Official PHP Client and Java Client made by me. I think it may be due to these lines which i'm not able to configure it in my Client side.

The way the notification is done (back or front channel) is configured at a service level through the logoutType property. This value is set to LogoutType.BACK_CHANNEL by default.

I'm not able to understand by this line where actually i had to set the Logouttype to BACK_CHANNEL, if its my Client then why is it that it is set to BACK_CHANNEL by default as a Client can be made by anyone.

Any help is highly appreciated. Thanks in Advance.

Pardyot Shahi
  • 499
  • 4
  • 15

1 Answers1

1

Take a look at the jasig documentation: http://jasig.github.io/cas/development/installation/Logout-Single-Signout.html

When a CAS session ends, it notifies each of the services that the SSO session is no longer valid, and that relying parties need to invalidate their own session.

This can happen in two ways:

CAS sends an HTTP POST message directly to the service ( back channel communication): this is the traditional way of performing notification to the service.

CAS redirects (HTTP 302) to the service with a message and a RelayState parameter (front channel communication): This feature is inspired by SAML SLO, and is needed if the client application is composed of several servers and use session affinity. The expected behaviour of the CAS client is to invalidate the application web session and redirect back to the CAS server with the RelayState parameter.

And the important part:

Usage Warning!

Front-channel SLO at this point is still experimental.

So your SSO server sends a request to the application directly. The authenticator recognizes that this request is a special one and logouts the referenced user.

Update:

Take a look at the following links: https://wiki.jasig.org/display/casum/single+sign+out

https://github.com/Jasig/cas/blob/6c3df3a5f42d2d8b771ba773aeda3ba5a4c525e3/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml

https://github.com/Jasig/cas/blob/6c3df3a5f42d2d8b771ba773aeda3ba5a4c525e3/cas-server-core/src/main/java/org/jasig/cas/logout/LogoutManagerImpl.java

Did you accidantly remove or overwrite your logoutManager declaration in your applicationContext? Is there an logoutManager bean in your running spring context?

I would start by setting break points in the handleLogoutForSloService, performBackChannelLogout and performLogout methods of LogoutManagerImpl.java.

Are they beeing called?

Can you step through them?

Is performBackChannelLogout called?

Is this.httpClient.sendMessageToEndPoint(msg) in performBackChannelLogout successful? If you are logged on to 2 services, performBackChannelLogout should be called twice with both service urls.

Martin Baumgartner
  • 3,524
  • 3
  • 20
  • 31
  • As i asked earlier "I'm not able to understand by this line where actually i had to set the Logouttype to BACK_CHANNEL". So, i'm not able to fetch the SLO message when i see the access logs of the Tomcat server. – Pardyot Shahi Jul 09 '15 at 13:08
  • Actually now i'm able to recieve the POST of SLO Message (was some certificates issue) but i could not retrieve it using request.getParameter("logoutRequest") , it is showing null. Could you please help me with that. – Pardyot Shahi Jul 10 '15 at 14:04
  • Which authenticator are you using? – Martin Baumgartner Jul 10 '15 at 17:44
  • I'm using CAS(Central Authentication Service). – Pardyot Shahi Jul 11 '15 at 06:35
  • yeah, but php or java client? java filter or an authenticator(valvebase)? – Martin Baumgartner Jul 11 '15 at 10:28
  • I added java filters from [this](http://stackoverflow.com/questions/17837239/cas-single-sign-out-not-working) link. These were my java filters. CAS Single Sign Out Filter org.jasig.cas.client.session.SingleSignOutFilter CAS Single Sign Out Filter /* org.jasig.cas.client.session.SingleSignOutHttpSessionListener – Pardyot Shahi Jul 13 '15 at 05:39
  • Is the filter beeing called if you add a breakpoint? Is the filter the first one in your filter list? – Martin Baumgartner Jul 13 '15 at 11:36
  • Yes this is the first filter on the filter list. – Pardyot Shahi Jul 13 '15 at 12:01