Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
I have checked apache access.log on web server where client is placed and 
there is no POST requests on logout. 0 messages or requests completely. 
Thats while logging out with my cas 5.2.3
I have checked same log when i issue logout from cas 4.1.9 where SLO works 
on same client, and I can see POST request in access.log correctly.

вторник, 24 апреля 2018 г., 18:42:19 UTC+2 пользователь rbon написал:
>
> Check your Apache access.log to see if the request is getting through.
> I see this when CAS sends logout request:
>
> 2018-04-24T09:32:57.816-07:00 lo...@z.comp.uvic.ca  
> local2.notice httpd[2310]: access: coursespaces2d.uvic.ca: 
> 111.104.118.193 - - [24/Apr/2018:09:32:57 -0700] "POST /login/logout.php 
> HTTP/1.1" 200 26 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_121)" "__utma=-; 
> __utmb=-; __utmc=-; __utmk=-; __utmx=-; __utmz=-;"
>
> Ray
>
>
> On Tue, 2018-04-24 at 03:27 -0700, Viacheslav Babanin wrote:
>
> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
> Single logout doesn't work and from the logs it seems like CAS constructs 
> SAML logout request but not actually sends it. I am using examplary phpCAS 
> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
> administrator access to it) everything works great and phpCAS actually gets 
> logout request and correctly processes it. What should i look into? Please 
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал: 
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 
This shouldn't matter since cas 4.1.9 sends same request and SAME client, 
placed in same directory on the same server handles it correctly.
>From phpCAS.log

SAML REQUEST: @NOT_USED@ST-149-YAFlxnMQjDojiStFG4eN-cas.uek.krakow.pl
 
[Client.php:1752]


вторник, 24 апреля 2018 г., 19:09:17 UTC+2 пользователь Manfredo Hopp 
написал:
>
> from your log 
>
> 2018-04-24 08:59:48,360 DEBUG 
> [org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] -  message: [ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
> ID="LR-3-ERN1ZJGXY-JGjGfB---2avgK" Version="2.0" 
> IssueInstant="2018-04-24T08:59:48Z"> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@ST-3-PppjmWz1yAHPFrZwFNMCRW5wsvI-v-cas-1]>
>
>
> its SAML2 whereas your client is SAML1
>
> 2018-04-24 7:27 GMT-03:00 Viacheslav Babanin  >:
>
>> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
>> Single logout doesn't work and from the logs it seems like CAS constructs 
>> SAML logout request but not actually sends it. I am using examplary phpCAS 
>> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
>> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
>> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
>> administrator access to it) everything works great and phpCAS actually gets 
>> logout request and correctly processes it. What should i look into? Please 
>> help.
>>
>> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>>
>>> Viacheslav,
>>>
>>> You will want to have handleLogoutRequests(true) so that logout is 
>>> handled. While testing, skip the CAS server array, just in case the network 
>>> config changes the apparent source of the request.
>>>
>>> Put this in your CAS log4j2.xml to see what happens on CAS side of 
>>> things:
>>>
>>> 
>>> 
>>> 
>>> >> level="debug">
>>> 
>>> >> onMismatch="NEUTRAL" />
>>> >> onMismatch="DENY" />
>>> 
>>> 
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
>>> level="debug" />
>>>
>>> Ray
>>>
>>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>>
>>> That's how phpCAS.log looks if i provide it with 
>>> phpCAS::handleLogoutRequests(false); 
>>>
>>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
>>> [index.php:13]
>>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
>>> 443, '/cas', true) [CAS.php:360]
>>> DA64 .||Starting a new session 
>>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
>>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>>> DA64 .|<= ''
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>>> DA64 .|You have configured no validation of the legitimacy of the 
>>> cas server. This is not recommended for production use. [CAS.php:1644]
>>> DA64 .<= ''
>>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>>> DA64 .|Not a logout request [Client.php:1739]
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
>>> [Client.php:1393]
>>> DA64 .||||user = `babanin' [Client.php:1622]
>>> DA64 .|||<= true
>>> DA64 .|||user was already authenticated, no need to look for 
>>> tickets [Client.php:1417]
>>> DA64 .||<= true
>>> DA64 .||no need to authenticate [Client.php:1282]
>>> DA64 .|<= true
>>> DA64 .<= ''
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
>>> Babanin написал: 
>>>
>>> Could you elaborate, please? 
>>>
>>> Quoting official documentation at 
>>> https://wiki.jasig.org/display/casc/phpcas+examples
>>>
>>> "By default phpCAS by default only handles requests that emanate from 
>>> the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
>>> Failure to restrict SAML logout requests to authorized hosts could allow 
>>> denial of service attacks where at the least the server is tied up parsing 
>>> bogus XML messages.
>>>
>>> To disable access control on logout requests, use: 
>>>
>>> phpCAS::handleLogoutRequests(false);
>>>
>>> The hosts allowed to send logout requests can also be passed in an array 
>>> which might be usefull in with clustered cas servers:
>>>
>>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>>> "server2.domain.edu"));
>>>
>>>
>>> "
>>>
>>> As i

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-25 Thread Viacheslav Babanin 

 Yes, and it releases attributes via saml with no issues. Only SLO doesn't 
work.


вторник, 24 апреля 2018 г., 15:16:32 UTC+2 пользователь Manfredo Hopp 
написал:
>
> Do you have saml support dependency
>
> El martes, 24 de abril de 2018, Viacheslav Babanin  > escribió:
>
>> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
>> Single logout doesn't work and from the logs it seems like CAS constructs 
>> SAML logout request but not actually sends it. I am using examplary phpCAS 
>> client from docs and when i go to ${cas-server}/cas/logout endpoint in 
>> there is nothing in phpCAS logs. If I use THE SAME client. only changing 
>> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
>> administrator access to it) everything works great and phpCAS actually gets 
>> logout request and correctly processes it. What should i look into? Please 
>> help.
>>
>> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>>
>>> Viacheslav,
>>>
>>> You will want to have handleLogoutRequests(true) so that logout is 
>>> handled. While testing, skip the CAS server array, just in case the network 
>>> config changes the apparent source of the request.
>>>
>>> Put this in your CAS log4j2.xml to see what happens on CAS side of 
>>> things:
>>>
>>> 
>>> 
>>> 
>>> >> level="debug">
>>> 
>>> >> onMismatch="NEUTRAL" />
>>> >> onMismatch="DENY" />
>>> 
>>> 
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
>>> level="debug" />
>>> 
>>> >> name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
>>> level="debug" />
>>>
>>> Ray
>>>
>>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>>
>>> That's how phpCAS.log looks if i provide it with 
>>> phpCAS::handleLogoutRequests(false); 
>>>
>>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
>>> [index.php:13]
>>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
>>> 443, '/cas', true) [CAS.php:360]
>>> DA64 .||Starting a new session 
>>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
>>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>>> DA64 .|<= ''
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>>> DA64 .|You have configured no validation of the legitimacy of the 
>>> cas server. This is not recommended for production use. [CAS.php:1644]
>>> DA64 .<= ''
>>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>>> DA64 .|Not a logout request [Client.php:1739]
>>> DA64 .<= ''
>>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
>>> [Client.php:1393]
>>> DA64 .||||user = `babanin' [Client.php:1622]
>>> DA64 .|||<= true
>>> DA64 .|||user was already authenticated, no need to look for 
>>> tickets [Client.php:1417]
>>> DA64 .||<= true
>>> DA64 .||no need to authenticate [Client.php:1282]
>>> DA64 .|<= true
>>> DA64 .<= ''
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
>>> Babanin написал: 
>>>
>>> Could you elaborate, please? 
>>>
>>> Quoting official documentation at 
>>> https://wiki.jasig.org/display/casc/phpcas+examples
>>>
>>> "By default phpCAS by default only handles requests that emanate from 
>>> the CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
>>> Failure to restrict SAML logout requests to authorized hosts could allow 
>>> denial of service attacks where at the least the server is tied up parsing 
>>> bogus XML messages.
>>>
>>> To disable access control on logout requests, use: 
>>>
>>> phpCAS::handleLogoutRequests(false);
>>>
>>> The hosts allowed to send logout requests can also be passed in an array 
>>> which might be usefull in with clustered cas servers:
>>>
>>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>>> "server2.domain.edu"));
>>>
>>>
>>> "
>>>
>>> As i understand, it should be enough either to use 
>>> phpCAS::handleLogoutRequests(false); 
>>> (which I tried and it seems like it has no impact) or to specify cas 
>>> server which is allowed to send logout requests in an array (which I did in 
>>> example above).
>>>
>>>
>>>
>>>
>>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo 
>>> Hopp написал: 
>>>
>>> Logout requests are handled by clients. 
>>>
>>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>>> cas-1.server.test.pl',)) [CAS.php:1276]

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
from your log

2018-04-24 08:59:48,360 DEBUG
[org.apereo.cas.logout.SamlCompliantLogoutMessageCreator] - @NOT_USED@ST-3-PppjmWz1yAHPFrZwFNMCRW5wsvI-v-cas-1]>


its SAML2 whereas your client is SAML1

2018-04-24 7:27 GMT-03:00 Viacheslav Babanin :

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Ray Bon 
Check your Apache access.log to see if the request is getting through.
I see this when CAS sends logout request:

2018-04-24T09:32:57.816-07:00 
lo...@z.comp.uvic.ca local2.notice 
httpd[2310]: access: coursespaces2d.uvic.ca: 111.104.118.193 - - 
[24/Apr/2018:09:32:57 -0700] "POST /login/logout.php HTTP/1.1" 200 26 "-" 
"Apache-HttpClient/4.5.3 (Java/1.8.0_121)" "__utma=-; __utmb=-; __utmc=-; 
__utmk=-; __utmx=-; __utmz=-;"

Ray


On Tue, 2018-04-24 at 03:27 -0700, Viacheslav Babanin wrote:
It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. Single 
logout doesn't work and from the logs it seems like CAS constructs SAML logout 
request but not actually sends it. I am using examplary phpCAS client from docs 
and when i go to ${cas-server}/cas/logout endpoint in there is nothing in 
phpCAS logs. If I use THE SAME client. only changing cas endpoint and protocol, 
with cas 4.1.9 (not configured by me but i have administrator access to it) 
everything works great and phpCAS actually gets logout request and correctly 
processes it. What should i look into? Please help.

понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
Viacheslav,

You will want to have handleLogoutRequests(true) so that logout is handled. 
While testing, skip the CAS server array, just in case the network config 
changes the apparent source of the request.

Put this in your CAS log4j2.xml to see what happens on CAS side of things:

















Ray

On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 
'cas-1.server.test.pl', 443, '/cas') [index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 
'cas-1.server.test.pl', 443, '/cas', true) 
[CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav Babanin 
написал:
Could you elaborate, please?

Quoting official documentation at 
https://wiki.jasig.org/display/casc/phpcas+examples


"By default phpCAS by default only handles requests that emanate from the CAS 
host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to 
restrict SAML logout requests to authorized hosts could allow denial of service 
attacks where at the least the server is tied up parsing bogus XML messages.

To disable access control on logout requests, use:

phpCAS::handleLogoutRequests(false);


The hosts allowed to send logout requests can also be passed in an array which 
might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, 
array("server1.domain.edu", 
"server2.domain.edu"));

"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); (which I tried and it seems like it has no 
impact) or to specify cas server which is allowed to send logout requests in an 
array (which I did in example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => 
'cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin  
escribió:
Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2

I am rather new cas user and probably i am missing something obvious.

I am using folowing phpCAS client:

http://cas-1.uek.krakow.pl>';
// Context of the CAS Server
$cas_context = '/cas';
//

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
See


https://github.com/apereo/cas/tree/5.2.x/core/cas-server-core-logout/src/main/java/org/apereo/cas/logout



El martes, 24 de abril de 2018, Viacheslav Babanin 
escribió:

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Man H 
Do you have saml support dependency

El martes, 24 de abril de 2018, Viacheslav Babanin 
escribió:

> It seems like I have a problem witch CAS 5.2.3 and SAML logout requests.
> Single logout doesn't work and from the logs it seems like CAS constructs
> SAML logout request but not actually sends it. I am using examplary phpCAS
> client from docs and when i go to ${cas-server}/cas/logout endpoint in
> there is nothing in phpCAS logs. If I use THE SAME client. only changing
> cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have
> administrator access to it) everything works great and phpCAS actually gets
> logout request and correctly processes it. What should i look into? Please
> help.
>
> понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>>
>> Viacheslav,
>>
>> You will want to have handleLogoutRequests(true) so that logout is
>> handled. While testing, skip the CAS server array, just in case the network
>> config changes the apparent source of the request.
>>
>> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>>
>> 
>> 
>> 
>> > level="debug">
>> 
>> > onMismatch="NEUTRAL" />
>> > onMismatch="DENY" />
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Ray
>>
>> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>>
>> That's how phpCAS.log looks if i provide it with
>> phpCAS::handleLogoutRequests(false);
>>
>> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas')
>> [index.php:13]
>> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl',
>> 443, '/cas', true) [CAS.php:360]
>> DA64 .||Starting a new session 
>> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1
>> [Client.php:932]
>> DA64 .||Session is authenticated as: babanin [Client.php:936]
>> DA64 .|<= ''
>> DA64 .<= ''
>> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
>> DA64 .|You have configured no validation of the legitimacy of the cas
>> server. This is not recommended for production use. [CAS.php:1644]
>> DA64 .<= ''
>> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
>> DA64 .|Not a logout request [Client.php:1739]
>> DA64 .<= ''
>> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
>> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
>> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
>> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated()
>> [Client.php:1393]
>> DA64 .||||user = `babanin' [Client.php:1622]
>> DA64 .|||<= true
>> DA64 .|||user was already authenticated, no need to look for
>> tickets [Client.php:1417]
>> DA64 .||<= true
>> DA64 .||no need to authenticate [Client.php:1282]
>> DA64 .|<= true
>> DA64 .<= ''
>>
>>
>> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav
>> Babanin написал:
>>
>> Could you elaborate, please?
>>
>> Quoting official documentation at https://wiki.jasig.org/disp
>> lay/casc/phpcas+examples
>>
>> "By default phpCAS by default only handles requests that emanate from the
>> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()).
>> Failure to restrict SAML logout requests to authorized hosts could allow
>> denial of service attacks where at the least the server is tied up parsing
>> bogus XML messages.
>>
>> To disable access control on logout requests, use:
>>
>> phpCAS::handleLogoutRequests(false);
>>
>> The hosts allowed to send logout requests can also be passed in an array
>> which might be usefull in with clustered cas servers:
>>
>> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
>> "server2.domain.edu"));
>>
>>
>> "
>>
>> As i understand, it should be enough either to use
>> phpCAS::handleLogoutRequests(false); (which I tried and it seems like it
>> has no impact) or to specify cas server which is allowed to send logout
>> requests in an array (which I did in example above).
>>
>>
>>
>>
>> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp
>> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin 
>> escribió:
>>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS
>> 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>> phpCAS::setVerbose(true);
>> // Initialize phpCAS
>> $cas_host =

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Viacheslav Babanin 
It seems like I have a problem witch CAS 5.2.3 and SAML logout requests. 
Single logout doesn't work and from the logs it seems like CAS constructs 
SAML logout request but not actually sends it. I am using examplary phpCAS 
client from docs and when i go to ${cas-server}/cas/logout endpoint in 
there is nothing in phpCAS logs. If I use THE SAME client. only changing 
cas endpoint and protocol, with cas 4.1.9 (not configured by me but i have 
administrator access to it) everything works great and phpCAS actually gets 
logout request and correctly processes it. What should i look into? Please 
help.

понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал: 
>
> Logout requests are handled by clients. 
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  
> escribió:
>
> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2 
>
> I am rather new cas user and probably i am missing something obvious.
>
> I am using folowing phpCAS client:
>
>  require_once 'phpcas/source/CAS.php';
> // Enable debugging
> phpCAS::setDebug('phpCAS.log');
> // Enable verbose error messages. Disable in production!
> phpCAS::setVerbose(true);
> // Initialize phpCAS
>

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-24 Thread Viacheslav Babanin 
Ray,

I have set handleLogoutRequests(true) and added those Loggers to CAS 
log4j2.xml, restarted CAS server in tomcat and nothing changes, and it 
seems in log like its publishing logout request but no details.
That's exactyly what I did:

1. Added Loggers to CAS log4j2.xml
2. Restarted CAS in tomcat
3. Set handleLogoutRequests(true) in my saml client.
4. Open incognite mode in Chrome browser.
5. Open tab with https://cas-client.ssl.stub/
6. CAS login page shows up. I logged in.
7. Opened new tab with {cas-server}/cas/logout . Got message that I am 
successfully logged out.
8. Refreshed tab with client. I am still logged in. phpCAS log says that 
user is already authenticated no reason to authenticate. Application 
session still lives.

I have tried it both with BACK_CHANNEL and FRONT_CHANNEL set as a 
logoutType attributes in service definition.

I am attaching logs from CAS.

Thanks, 
Viacheslav



понедельник, 23 апреля 2018 г., 18:35:17 UTC+2 пользователь rbon написал:
>
> Viacheslav,
>
> You will want to have handleLogoutRequests(true) so that logout is 
> handled. While testing, skip the CAS server array, just in case the network 
> config changes the apparent source of the request.
>
> Put this in your CAS log4j2.xml to see what happens on CAS side of things:
>
> 
> 
> 
>  level="debug">
> 
>  onMismatch="NEUTRAL" />
>  onMismatch="DENY" />
> 
> 
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" 
> level="debug" />
> 
>  name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" 
> level="debug" />
>
> Ray
>
> On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
>
> That's how phpCAS.log looks if i provide it with 
> phpCAS::handleLogoutRequests(false); 
>
> DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
> [index.php:13]
> DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
> 443, '/cas', true) [CAS.php:360]
> DA64 .||Starting a new session 
> ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
> DA64 .||Session is authenticated as: babanin [Client.php:936]
> DA64 .|<= ''
> DA64 .<= ''
> DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
> DA64 .|You have configured no validation of the legitimacy of the cas 
> server. This is not recommended for production use. [CAS.php:1644]
> DA64 .<= ''
> DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
> DA64 .|Not a logout request [Client.php:1739]
> DA64 .<= ''
> DA64 .=> phpCAS::forceAuthentication() [index.php:27]
> DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
> DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
> DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
> [Client.php:1393]
> DA64 .||||user = `babanin' [Client.php:1622]
> DA64 .|||<= true
> DA64 .|||user was already authenticated, no need to look for 
> tickets [Client.php:1417]
> DA64 .||<= true
> DA64 .||no need to authenticate [Client.php:1282]
> DA64 .|<= true
> DA64 .<= ''
>
>
> понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
> Babanin написал: 
>
> Could you elaborate, please? 
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал: 
>
> Logout requests are handled by clients. 
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  
> escribió:
>
> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2 
>
> I am rather new cas

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Ray Bon 
Viacheslav,

You will want to have handleLogoutRequests(true) so that logout is handled. 
While testing, skip the CAS server array, just in case the network config 
changes the apparent source of the request.

Put this in your CAS log4j2.xml to see what happens on CAS side of things:

















Ray

On Mon, 2018-04-23 at 07:41 -0700, Viacheslav Babanin wrote:
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
[index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 443, 
'/cas', true) [CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav Babanin 
написал:
Could you elaborate, please?

Quoting official documentation at 
https://wiki.jasig.org/display/casc/phpcas+examples


"By default phpCAS by default only handles requests that emanate from the CAS 
host exclusively (declared in phpCAS::client() or phpCAS::proxy()). Failure to 
restrict SAML logout requests to authorized hosts could allow denial of service 
attacks where at the least the server is tied up parsing bogus XML messages.

To disable access control on logout requests, use:

phpCAS::handleLogoutRequests(false);


The hosts allowed to send logout requests can also be passed in an array which 
might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, 
array("server1.domain.edu", 
"server2.domain.edu"));

"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); (which I tried and it seems like it has no 
impact) or to specify cas server which is allowed to send logout requests in an 
array (which I did in example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => 
'cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin  
escribió:
Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2

I am rather new cas user and probably i am missing something obvious.

I am using folowing phpCAS client:

http://cas-1.uek.krakow.pl>';
// Context of the CAS Server
$cas_context = '/cas';
// Port of your CAS server. Normally for a https server it's 443
$cas_port = 443;
phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);
// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();
// force CAS authentication

$cas_real_hosts = array('cas-1.uek.krakow.pl');


phpCAS::handleLogoutRequests(true, $cas_real_hosts);

phpCAS::forceAuthentication();
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
// logout if desired
// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
?>


Advanced SAML 1.1 example



Advanced SAML 1.1 example


Authentication succeeded for user
.
User has attributes
.
User Attributes

 $value) {
if (is_array($value)) {
echo '', $key, ':';
foreach ($value as $item) {

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Viacheslav Babanin 
That's how phpCAS.log looks if i provide it with 
phpCAS::handleLogoutRequests(false);

DA64 .=> phpCAS::client('S1', 'cas-1.server.test.pl', 443, '/cas') 
[index.php:13]
DA64 .|=> CAS_Client::__construct('S1', false, 'cas-1.server.test.pl', 
443, '/cas', true) [CAS.php:360]
DA64 .||Starting a new session 
ST-27-xTftALKF-XM9TG94QFnab2R5994-v-cas-1 [Client.php:932]
DA64 .||Session is authenticated as: babanin [Client.php:936]
DA64 .|<= ''
DA64 .<= ''
DA64 .=> phpCAS::setNoCasServerValidation() [index.php:20]
DA64 .|You have configured no validation of the legitimacy of the cas 
server. This is not recommended for production use. [CAS.php:1644]
DA64 .<= ''
DA64 .=> CAS_Client::handleLogoutRequests(false, false) [CAS.php:1276]
DA64 .|Not a logout request [Client.php:1739]
DA64 .<= ''
DA64 .=> phpCAS::forceAuthentication() [index.php:27]
DA64 .|=> CAS_Client::forceAuthentication() [CAS.php:1098]
DA64 .||=> CAS_Client::isAuthenticated() [Client.php:1280]
DA64 .|||=> CAS_Client::_wasPreviouslyAuthenticated() 
[Client.php:1393]
DA64 .||||user = `babanin' [Client.php:1622]
DA64 .|||<= true
DA64 .|||user was already authenticated, no need to look for 
tickets [Client.php:1417]
DA64 .||<= true
DA64 .||no need to authenticate [Client.php:1282]
DA64 .|<= true
DA64 .<= ''


понедельник, 23 апреля 2018 г., 16:33:09 UTC+2 пользователь Viacheslav 
Babanin написал:
>
> Could you elaborate, please?
>
> Quoting official documentation at 
> https://wiki.jasig.org/display/casc/phpcas+examples
>
> "By default phpCAS by default only handles requests that emanate from the 
> CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
> Failure to restrict SAML logout requests to authorized hosts could allow 
> denial of service attacks where at the least the server is tied up parsing 
> bogus XML messages.
>
> To disable access control on logout requests, use: 
>
> phpCAS::handleLogoutRequests(false);
>
> The hosts allowed to send logout requests can also be passed in an array 
> which might be usefull in with clustered cas servers:
>
> phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
> "server2.domain.edu"));
>
>
> "
>
> As i understand, it should be enough either to use 
> phpCAS::handleLogoutRequests(false); 
> (which I tried and it seems like it has no impact) or to specify cas 
> server which is allowed to send logout requests in an array (which I did in 
> example above).
>
>
>
>
> понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
> написал:
>>
>> Logout requests are handled by clients.
>>
>> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
>> cas-1.server.test.pl',)) [CAS.php:1276]
>> D0EE .|Not a logout request [Client.php:1739]
>>
>> See phpcas
>>
>> El lunes, 23 de abril de 2018, Viacheslav Babanin  
>> escribió:
>>
>>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 
>>> 5.2
>>>
>>> I am rather new cas user and probably i am missing something obvious.
>>>
>>> I am using folowing phpCAS client:
>>>
>>> >> require_once 'phpcas/source/CAS.php';
>>> // Enable debugging
>>> phpCAS::setDebug('phpCAS.log');
>>> // Enable verbose error messages. Disable in production!
>>> phpCAS::setVerbose(true);
>>> // Initialize phpCAS
>>> $cas_host = 'cas-1.uek.krakow.pl';
>>> // Context of the CAS Server
>>> $cas_context = '/cas';
>>> // Port of your CAS server. Normally for a https server it's 443
>>> $cas_port = 443;
>>> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
>>> // For production use set the CA certificate that is the issuer of the 
>>> cert
>>> // on the CAS server and uncomment the line below
>>> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
>>> // For quick testing you can disable SSL validation of the CAS server.
>>> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
>>> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS 
>>> PROTOCOL!
>>> phpCAS::setNoCasServerValidation();
>>> // force CAS authentication
>>>
>>> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>>>
>>>
>>> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>>>
>>> phpCAS::forceAuthentication();
>>> // at this step, the user has been authenticated by the CAS server
>>> // and the user's login name can be read with phpCAS::getUser().
>>> // logout if desired
>>> // logout if desired
>>> if (isset($_REQUEST['logout'])) {
>>> phpCAS::logout();
>>> }
>>> ?>
>>> 
>>> 
>>> Advanced SAML 1.1 example
>>> 
>>> 
>>> 
>>> Advanced SAML 1.1 example
>>> 
>>>
>>> Authentication succeeded for user
>>> .
>>> User has attributes
>>> >> echo 'true';
>>> }
>>> else {
>>> echo 'false';
>>> }
>>>
>>> ?>.
>>> User Attributes
>>> 
>>> >> foreach (phpCAS::getAttributes() as $key => $value) {
>>> if (is_array($value)) {
>>> echo '',

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Viacheslav Babanin 
Could you elaborate, please?

Quoting official documentation 
at https://wiki.jasig.org/display/casc/phpcas+examples

"By default phpCAS by default only handles requests that emanate from the 
CAS host exclusively (declared in phpCAS::client() or phpCAS::proxy()). 
Failure to restrict SAML logout requests to authorized hosts could allow 
denial of service attacks where at the least the server is tied up parsing 
bogus XML messages.

To disable access control on logout requests, use: 

phpCAS::handleLogoutRequests(false);

The hosts allowed to send logout requests can also be passed in an array 
which might be usefull in with clustered cas servers:

phpCAS::handleLogoutRequests(true, array("server1.domain.edu", 
"server2.domain.edu"));


"

As i understand, it should be enough either to use 
phpCAS::handleLogoutRequests(false); 
(which I tried and it seems like it has no impact) or to specify cas server 
which is allowed to send logout requests in an array (which I did in 
example above).




понедельник, 23 апреля 2018 г., 16:25:18 UTC+2 пользователь Manfredo Hopp 
написал:
>
> Logout requests are handled by clients.
>
> .=> CAS_Client::handleLogoutRequests(true, array (  0 => '
> cas-1.server.test.pl',)) [CAS.php:1276]
> D0EE .|Not a logout request [Client.php:1739]
>
> See phpcas
>
> El lunes, 23 de abril de 2018, Viacheslav Babanin  > escribió:
>
>> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2
>>
>> I am rather new cas user and probably i am missing something obvious.
>>
>> I am using folowing phpCAS client:
>>
>> > require_once 'phpcas/source/CAS.php';
>> // Enable debugging
>> phpCAS::setDebug('phpCAS.log');
>> // Enable verbose error messages. Disable in production!
>> phpCAS::setVerbose(true);
>> // Initialize phpCAS
>> $cas_host = 'cas-1.uek.krakow.pl';
>> // Context of the CAS Server
>> $cas_context = '/cas';
>> // Port of your CAS server. Normally for a https server it's 443
>> $cas_port = 443;
>> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
>> // For production use set the CA certificate that is the issuer of the 
>> cert
>> // on the CAS server and uncomment the line below
>> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
>> // For quick testing you can disable SSL validation of the CAS server.
>> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
>> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS 
>> PROTOCOL!
>> phpCAS::setNoCasServerValidation();
>> // force CAS authentication
>>
>> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>>
>>
>> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>>
>> phpCAS::forceAuthentication();
>> // at this step, the user has been authenticated by the CAS server
>> // and the user's login name can be read with phpCAS::getUser().
>> // logout if desired
>> // logout if desired
>> if (isset($_REQUEST['logout'])) {
>> phpCAS::logout();
>> }
>> ?>
>> 
>> 
>> Advanced SAML 1.1 example
>> 
>> 
>> 
>> Advanced SAML 1.1 example
>> 
>>
>> Authentication succeeded for user
>> .
>> User has attributes
>> > echo 'true';
>> }
>> else {
>> echo 'false';
>> }
>>
>> ?>.
>> User Attributes
>> 
>> > foreach (phpCAS::getAttributes() as $key => $value) {
>> if (is_array($value)) {
>> echo '', $key, ':';
>> foreach ($value as $item) {
>> echo '', $item, '';
>> }
>> echo '';
>> } else {
>> echo '', $key, ': ', $value, '' . 
>> PHP_EOL;
>> }
>> }
>> ?>
>> 
>> Logout
>> 
>> 
>>
>>
>> Single sign in works like expected. If I have several CAS clients, when I 
>> log in to one of them, I am authenticated in all, like expected.
>>
>> But Single Logout completely doesn't work for me. When I log out using 
>> CAS logout endpoint "{cas-server}/cas/logout" i receive message that I am 
>> logged out from CAS and I can see in SSO manager that CAS Session is 
>> terminated.
>> But all application sessions are still alive, I am allowed not only to 
>> navigate client pages but also close\open tabs and I am still logged in.
>>
>> I have tried to configure service with client application with both 
>> "BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.
>>
>> 1. If I use BACK_CHANNEL.
>>
>> Thats how service definition looks like:
>>
>> {
>>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>>   "serviceId" : "https://cas-client.ssl.stub/;,
>>   "name" : "example_simple_citest",
>>   "id" : 7,
>>   "logoutType" : "BACK_CHANNEL",
>>
>>   "attributeReleasePolicy" : {
>> "@class" : 
>> "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
>> "allowedAttributes" : {
>>   "@class" : "java.util.TreeMap",
>>   "uid" : "user_id",
>> "sn" : "surname"
>>  }
>> }
>>   }
>>
>>
>> When I log out using "{cas-server}/cas/logout" endpoint CAS server log 
>> looks like this:

Re: [cas-user] CAS 5.2 single sign out does not work for SAML 1.1 phpCAS clients

2018-04-23 Thread Man H 
Logout requests are handled by clients.

.=> CAS_Client::handleLogoutRequests(true, array (  0 => '
cas-1.server.test.pl',)) [CAS.php:1276]
D0EE .|Not a logout request [Client.php:1739]

See phpcas

El lunes, 23 de abril de 2018, Viacheslav Babanin 
escribió:

> Hello, I have encountered issue with SSO for SAML 1.1 clients with CAS 5.2
>
> I am rather new cas user and probably i am missing something obvious.
>
> I am using folowing phpCAS client:
>
>  require_once 'phpcas/source/CAS.php';
> // Enable debugging
> phpCAS::setDebug('phpCAS.log');
> // Enable verbose error messages. Disable in production!
> phpCAS::setVerbose(true);
> // Initialize phpCAS
> $cas_host = 'cas-1.uek.krakow.pl';
> // Context of the CAS Server
> $cas_context = '/cas';
> // Port of your CAS server. Normally for a https server it's 443
> $cas_port = 443;
> phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context);
> // For production use set the CA certificate that is the issuer of the cert
> // on the CAS server and uncomment the line below
> // phpCAS::setCasServerCACert($cas_server_ca_cert_path);
> // For quick testing you can disable SSL validation of the CAS server.
> // THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
> // VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS
> PROTOCOL!
> phpCAS::setNoCasServerValidation();
> // force CAS authentication
>
> $cas_real_hosts = array('cas-1.uek.krakow.pl');
>
>
> phpCAS::handleLogoutRequests(true, $cas_real_hosts);
>
> phpCAS::forceAuthentication();
> // at this step, the user has been authenticated by the CAS server
> // and the user's login name can be read with phpCAS::getUser().
> // logout if desired
> // logout if desired
> if (isset($_REQUEST['logout'])) {
> phpCAS::logout();
> }
> ?>
> 
> 
> Advanced SAML 1.1 example
> 
> 
> 
> Advanced SAML 1.1 example
> 
>
> Authentication succeeded for user
> .
> User has attributes
>  echo 'true';
> }
> else {
> echo 'false';
> }
>
> ?>.
> User Attributes
> 
>  foreach (phpCAS::getAttributes() as $key => $value) {
> if (is_array($value)) {
> echo '', $key, ':';
> foreach ($value as $item) {
> echo '', $item, '';
> }
> echo '';
> } else {
> echo '', $key, ': ', $value, '' .
> PHP_EOL;
> }
> }
> ?>
> 
> Logout
> 
> 
>
>
> Single sign in works like expected. If I have several CAS clients, when I
> log in to one of them, I am authenticated in all, like expected.
>
> But Single Logout completely doesn't work for me. When I log out using CAS
> logout endpoint "{cas-server}/cas/logout" i receive message that I am
> logged out from CAS and I can see in SSO manager that CAS Session is
> terminated.
> But all application sessions are still alive, I am allowed not only to
> navigate client pages but also close\open tabs and I am still logged in.
>
> I have tried to configure service with client application with both
> "BACK_CHANNEL" and "FRONT_CHANNEL" logoutType with no luck.
>
> 1. If I use BACK_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/;,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "BACK_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePo
> licy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log
> looks like this: back.txt (see attachment)
>
> phpCAS.log doesn't log anything in this case. And application session
> still lives untill I close browser.
>
> 2. If I use FRONT_CHANNEL.
>
> Thats how service definition looks like:
>
> {
>   "@class" : "org.jasig.cas.services.RegexRegisteredService",
>   "serviceId" : "https://cas-client.ssl.stub/;,
>   "name" : "example_simple_citest",
>   "id" : 7,
>   "logoutType" : "FRONT_CHANNEL",
>
>   "attributeReleasePolicy" : {
> "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePo
> licy",
> "allowedAttributes" : {
>   "@class" : "java.util.TreeMap",
>   "uid" : "user_id",
> "sn" : "surname"
>  }
> }
>   }
>
> When I log out using "{cas-server}/cas/logout" endpoint CAS server log
> looks like this: front.txt (see attachment)
>
> And I see following message upon logout on endpoint page:
>
>
> 
>
>
>
>
> W
> Which tells me that logout notification has been sent.
>
> At the same time, when endpoint logout happens, phpCAS.log logs following
> message.
>
> D0EE .START (2018-04-23 15:37:16) phpCAS-1.3.5