I debugged CAS and found strange behavior
1. Keycloak sends correct request to "/idp/profile/SAML2/POST/SLO"
endpoint
2. CAS sends redirect to "/cas/logout" in both cases (http and https)
however session will be invalidated in http mode only
-
I excluded nginx from my local env so I have only executable CAS.war and
keycloak.
I configured CAS to use SSL in this way:
server.ssl.enabled=true
server.ssl.key-store-type=JKS
server.ssl.key-store=C:/Environment/jdk-11.0.5/bin/caskeystore.jks
server.ssl.key-store-password=changeit
Ray,
I have had some issues related to self-signed certificate on my local env.
CAS and Keycloak produced exception related to certificate and flow didn't
work at all.
I regenerated certificate for domain instead of 127.0.0.1 and all
exceptions were gone. So it's not an issue with certificate.
Maksim,
Could this be a certificate issue?
If this is self signed certificate, you will need to add it to the java
keystore (trust store).
https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores
Ray
On Mon, 2020-03-16 at 16:46 -0700, 'Maksim
That's interesting. Backchannel logout works in case load balancer of CAS
(nginx) doesn't use SSL however backchannel doesn't work in case nginx uses
SSL.
I see the same output in console of CAS server in both cases (with SSL and
without SSL)
--
- Website: https://apereo.github.io/cas
-
I tried this functionality in keycloak. I see a POST request to CAS after
logout from keycloak and I see this request in CAS access log but my CAS
session still active.
Did I miss something? How to logout from CAS too?
DEBUG [org.apache.http.impl.execchain.MainClientExec] (default task-17)