Hi Jérôme, Thank you very much for your help.
We will give a try to the front-channel logout. If we had a DelegatedCasClientLogoutAction component like we have for SAML and OIDC with DelegatedSaml2ClientLogoutAction and DelegatedClientOidcLogoutAction components, do you think it would change something about CAS answering with a 302 redirect to the logout request ? Thanks again for your time. -- Cordialement, *Camille-Olivier ALBERT* *Architecte Produit et SAAS / Product & SAAS Architect* Tél. :+33 (0) 2 40 20 47 95 <undefined> - 8 rue Kervégan 44000 Nantes - France [image: Linkedin] <https://fr.linkedin.com/company/kosmos_2> [image: Youtube] <https://www.youtube.com/user/kosmoseducation> www.kosmos-education.com [image: Kosmos] <https://www.kosmos-education.com> Le mar. 11 mars 2025 à 10:01, Jérôme LELEU <lel...@gmail.com> a écrit : > Hi, > > The problem with a back channel call is that the CAS (SSO session) cookie > is not transmitted with the logout request so this requires to track the > authentication request by an identifier and reuse the same identifier > passed during the logout to be able to find back the SSO session and > explicitly removes it. > > This has been done for SAML via the DelegatedSaml2ClientLogoutAction > component and > for OIDC via the DelegatedClientOidcLogoutAction component. > But it's not done for the CAS protocol. > > As a workaround, you can use a front channel logout call. > > Thanks. > Best regards, > Jérôme > > > > Le lun. 10 mars 2025 à 22:57, Camille ALBERT <camille.alb...@kosmos.fr> a > écrit : > >> Hi folks, >> >> We use CAS 7.1.4 and try to implement delegated authentication to another >> CAS server (this one is in version 6.6.15.2). >> >> Login is working fine : SP -> CAS 7.1.4 -> CAS 6.6.15.2, SP uses OIDC to >> communicate with CAS 7.1.4 and CAS 7.1.4 uses CAS 3.0 to communicate with >> CAS 6.6.15.2. >> >> Logout is working fine too when it is initiated by SP, user is >> disconnected from CAS 7.1.4 and then is redirected on CAS 6.6.15.2 logout >> url. >> >> Our issue is when logout is initiated by the IDP, CAS 6.6.15.2 here. In >> the CAS 6.6.15.2 logs we can see that a backchannel logout request is sent >> to CAS 7.1.4 : >> >> - It's a POST request >> - url is something like https://<cas_7_1_4_url>/login/<client_name> >> (<client_name> value is the CAS 6.6.15.2 client code in CAS 7.1.4) >> - there is a logoutRequest param with an url encoded xml >> logoutRequest as value (with CAS 3.0 service ticket id as SessionIndex >> attribute) >> >> In the CAS 7.1.4 logs we see nothing, but in CAS 6.6.15.2 logs we can see >> that CAS 7.1.4 answers to the logout request with a 302 redirect response >> with location >> https://<cas_7_1_4_url>/login?logoutRequest=<xml_encoded_logout_request>&client_name=<client_name>. >> This redirect is not followed by the http client used by CAS 6.6.15.2. >> >> We initally thought that DelegatedClientAuthenticationAction, >> DelegatedAuthenticationIdentityProviderLogoutAction and/or >> DelegatedAuthenticationIdentityProviderFinalizeLogoutAction would have log >> something in CAS 7.1.4 logs, but even in trace mode there is nothing. >> >> We found this PR https://github.com/apereo/cas/pull/5593 which is >> related to our subject. At the end of the discussion Misagh says that >> IDP initiated SLO has been implemented for SAML but not yet for OIDC nor >> CAS protocols. Is it still the case ? >> >> If IDP initiated SLO is implemented for all protocols, do you have any >> idea why it does not work in our case ? Any idea why CAS 6.6.15.2 >> backchannel logout POST request is not well understood by CAS 7.1.4 which >> answers with a 302 redirect ? >> >> Many thanks for you help, we really appreciate it. >> >> Camille >> >> -- >> - Website: https://apereo.github.io/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bb237f0-c1a4-4fa2-bdb9-8a9fbb068453n%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/5bb237f0-c1a4-4fa2-bdb9-8a9fbb068453n%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw0uLROQbpe7e8Fr4LwfSVJ1ykSNk-57%3D3XsMKrJaWsgA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAP279Lw0uLROQbpe7e8Fr4LwfSVJ1ykSNk-57%3D3XsMKrJaWsgA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAK57mGdvYB1KevqJHciBKmEhu8iR8GBCxCnc9p7Ui4f_1WUgyQ%40mail.gmail.com.
