Hi folks, We use CAS 7.1.4 and try to implement delegated authentication to another CAS server (this one is in version 6.6.15.2).
Login is working fine : SP -> CAS 7.1.4 -> CAS 6.6.15.2, SP uses OIDC to communicate with CAS 7.1.4 and CAS 7.1.4 uses CAS 3.0 to communicate with CAS 6.6.15.2. Logout is working fine too when it is initiated by SP, user is disconnected from CAS 7.1.4 and then is redirected on CAS 6.6.15.2 logout url. Our issue is when logout is initiated by the IDP, CAS 6.6.15.2 here. In the CAS 6.6.15.2 logs we can see that a backchannel logout request is sent to CAS 7.1.4 : - It's a POST request - url is something like https://<cas_7_1_4_url>/login/<client_name> (<client_name> value is the CAS 6.6.15.2 client code in CAS 7.1.4) - there is a logoutRequest param with an url encoded xml logoutRequest as value (with CAS 3.0 service ticket id as SessionIndex attribute) In the CAS 7.1.4 logs we see nothing, but in CAS 6.6.15.2 logs we can see that CAS 7.1.4 answers to the logout request with a 302 redirect response with location https://<cas_7_1_4_url>/login?logoutRequest=<xml_encoded_logout_request>&client_name=<client_name>. This redirect is not followed by the http client used by CAS 6.6.15.2. We initally thought that DelegatedClientAuthenticationAction, DelegatedAuthenticationIdentityProviderLogoutAction and/or DelegatedAuthenticationIdentityProviderFinalizeLogoutAction would have log something in CAS 7.1.4 logs, but even in trace mode there is nothing. We found this PR https://github.com/apereo/cas/pull/5593 which is related to our subject. At the end of the discussion Misagh says that IDP initiated SLO has been implemented for SAML but not yet for OIDC nor CAS protocols. Is it still the case ? If IDP initiated SLO is implemented for all protocols, do you have any idea why it does not work in our case ? Any idea why CAS 6.6.15.2 backchannel logout POST request is not well understood by CAS 7.1.4 which answers with a 302 redirect ? Many thanks for you help, we really appreciate it. Camille -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bb237f0-c1a4-4fa2-bdb9-8a9fbb068453n%40apereo.org.
