Apereo CAS is an open source enterprise Single Sign-On project. The purpose of this article is to demonstrate how to configure and troubleshoot the Apereo CAS SLO. While the project itself is open source and has much documentation, diving into the nuts and bolts of the product is sometimes required and can be quite challenging. If you are troubleshooting SLO (single logout) in CAS, we hope this article will prove to be valuable to you.
Note that this article is based on CAS version 6.6.x. If you find the recommendations in this article are out of date please contact us stating so.
CAS Single Logout properties
There are a few different properties you can configure in your cas.properties file to fine tune the single logout feature. The documentation can be challenging to navigate, especially if you are new to administering CAS. For that reason, we will discuss the logout properties here.
cas.authn.saml-idp.logout.force-signed-logout-requests=true
- If true, then logout requests will be signed. Depending on the SP (Service Provider) this may not be required.
cas.authn.saml-idp.logout.logout-response-binding=
- If not binding is defined then the endpoints defined in the saml metadata will determine the binding being used.
cas.authn.saml-idp.logout.send-logout-response=true
- We see no reason to not send a logout response, but if you are aware as to the reason why someone may wish to not send the logout response to the SP, please let us know. Presumably this property could be useful for testing.
cas.authn.saml-idp.logout.sign-logout-response=false
- If true, then logout responses will be signed.
cas.authn.saml-idp.logout.single-logout-callbacks-disabled=false
- While awkwardly named, if true, slo will be disabled.
Apereo CAS SLO properties source code
If you are looking through the source code, the saml slo properties can be found in the org.apereo.cas.configuration.model.support.saml.idp.SamlIdPLogoutProperties Java class.
SLO Troubleshooting
If you are experiencing issues with the single logout configuration, you should first consult the logs. For example, you may see a log similar to this one:
org.opensaml.messaging.handler.MessageHandlerException: Message context was not authenticated
By not authenticated, it means something was signed. In this case, the logout request wasn’t signed but the SP was expecting it to be.
For additional troubleshooting it is helpful to run a SAML trace on your logout. For this specific example, you would notice that the saml2p:LogoutResponse was not signed.
The fix was to set the following property: cas.authn.saml-idp.logout.sign-logout-response=true
This was one example of troubleshooting SLO, but please let us know if you have more you would like us to investigate and cover.
Conclusion – Apereo CAS SLO
We hope this article has proven to be valuable in helping you configure and troubleshoot your Apereo CAS SLO configuration. Leave us a comment with any questions and let us know if you would like to see more articles on the Apereo CAS project. Until then, we hope you will read more of our content.
Leave a Reply