IdP V3 logout and RemoteUser Auth Flow using external CAS server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
n99
Reply | Threaded
Open this post in threaded view
|

IdP V3 logout and RemoteUser Auth Flow using external CAS server

n99
This post was updated on .
Hi

We are working on our IdP v3 deployment and have configured RemoteUser Auth Flow using an external CAS server by doing the following.

1) idp.authn.flows= RemoteUser in conf/idp.properties
2) Configuring a CAS client in the IdP's web.xml as shown here https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration based on how we configured our IdP v2.

It may well be that this is the incorrect method of RemoteUser Auth Flow using an external CAS server so I hope to stand corrected if so.

Given the above set up I then tested simple logout as described at https://wiki.shibboleth.net/confluence/display/IDP30/LogoutConfiguration

I could see the shib_idp_session_ss and shib_idp_session cookies being destroyed when I hit /profile/Logout. (although a JSESSIONID cookie remained)  I also destroyed my CAS server session by logging out of the CAS server.

However I was able to log back in to another SP without logging in to the IdP/CAS server and could see new  shib_idp_session_ss and shib_idp_session cookies appearing.

I would not have expected this to happen.

Looking a the logs I can see the following

2016-07-07 17:18:07,171 - DEBUG [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:334] - Profile Action SelectAuthenticationFlow: Selecting inactive authentication flow authn/RemoteUser
2016-07-07 17:18:07,201 - DEBUG [net.shibboleth.idp.authn.impl.RemoteUserAuthServlet:231] - User identity extracted from REMOTE_USER: [me]
016-07-07 17:18:07,222 - INFO [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:115] - Profile Action ValidateExternalAuthentication: External authentication succeeded for user: [me]

I then went though logout of the IdP and CAS server again, but this time also destroyed the JSESSIONID cookie mentioned above.

This time I was prompted to login to the IdP/CAS server again as I would expect.

I presume that the remote_user header is being stored in the HttpSession Object stored in the /idp context even though it should only have request scope?


How would I achieve the logout I desire with a RemoteUser Auth Flow using an external CAS server?

Thanks for any help

Cheers

N99