Hi Sarika, I am facing the same issue. The SAML logout request to Okta does not work. After debugging I have found out that in pac4j's implementation in SAML2LogoutRequestBuilder the UserProfile cannot be retrieved from the context, hence no sessionIndex as nameId is added to the request. This UserProfile should be created and kept in session after the user has successfully authenticated in the IdP, but it isn't. Looking at the Pac4J documentation I assume, that there is no CallbackFilter in CAS initialized which would store the UserProfile in the session, but I cannot confirm this.
Does anybody know how to make this work? Thanks, Filip On Friday, September 14, 2018 at 7:24:44 AM UTC+2, sarika deshmukh wrote: > > Hi, > > Is there any update on this issue? > > Thanks in advance. > > > On Tuesday, 4 September 2018 18:34:10 UTC+5:30, sarika deshmukh wrote: >> >> Hi Ganesh, >> >> Sorry for the late reply. >> I have checked logs as well, it seems like CAS is not connecting with >> OKTA at the time of logout. >> >> log details: >> 2018-09-04 17:29:21,173 DEBUG >> [org.apereo.cas.support.saml.services.SamlIdPSingleLogoutServiceLogoutUrlBuilder] >> >> - <Service [AbstractRegisteredService(serviceId=^https://.*, name=HTTPS, >> theme=null, informationUrl=null, privacyUrl=null, responseType=null, >> id=10000001, description=This service definition authorizes all application >> urls that support HTTPS and IMAPS protocols., >> expirationPolicy=DefaultRegisteredServiceExpirationPolicy(deleteWhenExpired=false, >> >> notifyWhenDeleted=false, expirationDate=null), >> proxyPolicy=org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy@1, >> evaluationOrder=10000, >> usernameAttributeProvider=org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider@87297e2, >> >> logoutType=BACK_CHANNEL, requiredHandlers=[], >> attributeReleasePolicy=ReturnAllowedAttributeReleasePolicy(super=AbstractRegisteredServiceAttributeReleasePolicy(attributeFilter=null, >> >> principalAttributesRepository=DefaultPrincipalAttributesRepository(), >> consentPolicy=DefaultRegisteredServiceConsentPolicy(enabled=true, >> excludedAttributes=null, includeOnlyAttributes=null), >> authorizedToReleaseCredentialPassword=false, >> authorizedToReleaseProxyGrantingTicket=false, >> excludeDefaultAttributes=false, >> authorizedToReleaseAuthenticationAttributes=true, >> principalIdAttribute=null), allowedAttributes=[]), >> multifactorPolicy=DefaultRegisteredServiceMultifactorPolicy(multifactorAuthenticationProviders=[], >> >> failureMode=NOT_SET, principalAttributeNameTrigger=null, >> principalAttributeValueToMatch=null, bypassEnabled=false), logo=null, >> logoutUrl=https://localhost:8443/cas/logout, >> accessStrategy=DefaultRegisteredServiceAccessStrategy(order=0, >> enabled=true, ssoEnabled=true, unauthorizedRedirectUrl=null, >> delegatedAuthenticationPolicy=DefaultRegisteredServiceDelegatedAuthenticationPolicy(allowedProviders=[SAML2Client]), >> >> requireAllAttributes=true, requiredAttributes={}, rejectedAttributes={}, >> caseInsensitive=false), publicKey=null, properties={}, contacts=[])] is not >> a SAML service, or its logout url could not be determined> >> 2018-09-04 17:29:21,173 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder] - >> <Logout request will be sent to [https://localhost:8443/cas/logout] for >> service [AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={})]> >> 2018-09-04 17:29:21,174 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> <Prepared logout url [[https://localhost:8443/cas/logout]] for service >> [AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={})]> >> 2018-09-04 17:29:21,174 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> <Creating logout request for [AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={})] and ticket id >> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >> 2018-09-04 17:29:21,401 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >> request >> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >> service=AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >> logoutUrl=https://localhost:8443/cas/logout)] created for >> [AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={})] and ticket id >> [ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12]> >> 2018-09-04 17:29:21,401 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - <Logout >> type registered for [AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={})] is [BACK_CHANNEL]> >> 2018-09-04 17:29:21,402 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> <Creating back-channel logout request based on >> [DefaultLogoutRequest(ticketId=ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12, >> service=AbstractWebApplicationService(id= >> https://localhost:8443/vcm/j_spring_cas_security_check, originalUrl= >> https://localhost:8443/vcm/j_spring_cas_security_check, artifactId=null, >> principal=us...@company.com <javascript:>, source=service, >> loggedOutAlready=false, format=XML, attributes={}), status=NOT_ATTEMPTED, >> logoutUrl=https://localhost:8443/cas/logout)]> >> 2018-09-04 17:29:21,478 DEBUG >> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - <Generated >> logout message: [<samlp:LogoutRequest >> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >> ID="LR-1-Zkra8FA-8YIF7kVhWkRWyAWy" Version="2.0" >> IssueInstant="2018-09-04T17:29:21Z"><saml:NameID >> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12</samlp:SessionIndex></samlp:LogoutRequest>]> >> 2018-09-04 17:29:21,478 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> <Preparing logout request for [ >> https://localhost:8443/vcm/j_spring_cas_security_check] to [ >> https://localhost:8443/cas/logout]> >> 2018-09-04 17:29:21,485 DEBUG >> [org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler] - >> <Prepared logout message to send is [HttpMessage(url= >> https://localhost:8443/cas/logout, >> message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-1-Zkra8FA-8YIF7kVhWkRWyAWy%22+Version%3D%222.0%22+IssueInstant%3D%222018-09-04T17%3A29%3A21Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3E%40NOT_USED%40%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-1-SDZwYUPRAVYcRYqnvtBi0D-XrIQSCS-S12%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, >> >> responseCode=0, asynchronous=true, >> contentType=application/x-www-form-urlencoded)]. Sending...> >> 2018-09-04 17:29:21,532 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] >> - <Created HTTP post message payload [POST >> https://localhost:8443/cas/logout HTTP/1.1]> >> 2018-09-04 17:29:21,558 INFO [org.apereo.cas.logout.DefaultLogoutManager] >> - <[1] logout requests were processed> >> >> >> I have gone through the CAS codebase, as per my understanding, CAS is not >> getting some SAML metadata for a given SP for logout. >> I have added "SamlRegisteredService" service registry for the same but no >> luck. >> >> service registry: >> >> { >> "@class" : "org.apereo.cas.support.saml.services.SamlRegisteredService", >> "serviceId" : "urn:herb:saml:pac4j.org", >> "name" : "SAMLService", >> "id" : 10000003, >> "evaluationOrder" : 10, >> "metadataLocation" : " >> https://myoktaClient.com/app/exkfsyqtvxlhZ2i9f0h7/sso/saml/metadata"; >> } >> >> Also, I have added logoutType and logoutUrl in >> HTTPSandIMAPS-10000001.json registry file as below, >> >> "logoutType": "BACK_CHANNEL", >> "logoutUrl":"https://localhost:8443/cas/logout";, >> >> >> Is there anything missing? >> >> Thanks, >> Sarika D. >> >> >> On Monday, 2 October 2017 12:49:48 UTC+5:30, Антон Шихмат wrote: >>> >>> Hello everyone, >>> >>> I'm trying to integrate CAS SAML 2 delegated auth with OKTA using this >>> tutorial https://apereo.github.io/2017/03/22/cas51-delauthn-tutorial/ >>> CAS properties file should contain such values: keystore path (that >>> contains OKTA signing certificate), keystore password and private key >>> password. >>> OKTA provides signing certificate, so I can create a keystore using it. >>> But OKTA does not provide private key for this certificate (or at least I >>> cannot find it). I cannot left this value empty, because I will receive an >>> exception during CAS startup. >>> Can anyone help me, how can I configure OKTA integration without private >>> key or where I can find it? >>> >>> Thanks >>> >> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/8991dc0a-fdb9-4ec4-8056-49beff69d714%40apereo.org.
