Figured out!
cas.authn.pac4j.saml[0].signServiceProviderLogoutRequest=true
I was looking for signature element in XML SAML Response. actually, with
delegated authN to Okta, the signature is not in XML, it is a parameter in
GET request, along with SAMLRequest parameter.
What got me there is th
HI,
Looks like CAS already performed logout (TGC cookie is already removed)
before it redirect to Okta doing Logout, but it does not have a signature
element in Logout request sent to Okta.
Would that be a problem, even if Okta would recognize and log user out, it
will redirect back to CAS, no
Yan,
It is a wise idea to sign logout requests. This prevents a bad actor from
creating false logouts.
'Validate SAML requests with signature ... ' is for the log in request.
When your client app sends a logout request to cas, does cas (as IdP) end its
session with the client?
Ray
On Fri, 202