Figured out!
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
I was looking for signature element in XML SAML Response. actually, with
delegated authN to Okta, the signature is not in XML, it is a parameter in
GET request, along with SAMLRequest parameter.
What got me there is
HI,
Looks like CAS already performed logout (TGC cookie is already removed)
before it redirect to Okta doing Logout, but it does not have a signature
element in Logout request sent to Okta.
Would that be a problem, even if Okta would recognize and log user out, it
will redirect back to CAS,
Yan,
It is a wise idea to sign logout requests. This prevents a bad actor from
creating false logouts.
'Validate SAML requests with signature ... ' is for the log in request.
When your client app sends a logout request to cas, does cas (as IdP) end its
session with the client?
Ray
On Fri,
Hi,
I have almost completed SAML delegated authN with CAS and Okta, CAS
delegates to Okta, except for SLO.
When client app initiates SLO, it goes to CAS, CAS redirects to Okta, but
Okta says "invalid signature", the SAML Logout request from CAS has no
signature element. See below.
I
