Single Log Out not working

[Baso123]

Hi,

I have difficulties with Single Log Out (SLO) on my basic implementation

logoutUrl parametered in the CAS server is "https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login"

CAS Server : The CAS log show that logout request is correctly sent

> 2019-04-06 18:15:10,832 DEBUG [org.apereo.cas.logout.slo.DefaultSingleLogoutServiceLogoutUrlBuilder] - <Logout request will be sent to [https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login] for service [AbstractWebApplicationService(id=https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, originalUrl=https://extranet.x.fr/cloud/index.pxxxxxxxxxxxxxxhp/apps/user_cas/login, artifactId=null, principal=basile.test@xxxxx.fr, source=service, loggedOutAlready=false, format=XML, attributes={})]>
> 2019-04-06 18:15:10,833 DEBUG [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Prepared logout url [[org.apereo.cas.logout.slo.SingleLogoutUrl@ae1f72ee]] for service [AbstractWebApplicationService(id=https://extranet.xxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, originalUrl=https://extranet.xxxxxxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, artifactId=null, principal=basile.test@xxxxxxxxxxxxxx.fr, source=service, loggedOutAlready=false, format=XML, attributes={})]>
> 2019-04-06 18:15:10,835 DEBUG [org.apereo.cas.logout.slo.BaseSingleLogoutServiceMessageHandler] - <Prepared logout message to send is [HttpMessage(url=https://extranet.xxxxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login, message=logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-2-hTkl0dF8f4XPX9-8aeQoJIZY%22+Version%3D%222.0%22+IssueInstant%3D%222019-04-06T18%3A15%3A10Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3Ebasile.test%xxxxxxxxxx.fr%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-2-zcTYW858ldyFLPeC9MZ2gL-fGoMvps641230%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E, asynchronous=true, responseCode=0, contentType=application/x-www-form-urlencoded)]. Sending...>
> 2019-04-06 18:15:10,835 DEBUG [org.apereo.cas.util.http.SimpleHttpClient] - <Created HTTP post message payload [POST https://extranet.xxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login HTTP/1.1]>
> 2019-04-06 18:15:10,850 INFO [org.apereo.cas.logout.DefaultLogoutManager] - <[2] logout requests were processed>

CAS Client : TCPDump shows that the logout request is correctly received 

51.68.xx.xx.38168 > 37.187.xx.xx.https: Flags [P.], cksum 0x8209 (correct), seq 0:754, ack 1, win 229, options [nop,nop,TS val 2263944706 ecr 768689247], length 754: HTTP, length: 754
        POST /cloud/index.php/apps/user_cas/login HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 484
        Host: extranet.xxxxxxxxxxx.fr
        Connection: Keep-Alive
        User-Agent: Apache-HttpClient/4.5.6 (Java/11.0.2)
        Accept-Encoding: gzip,deflate
        logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aprotocol%22+ID%3D%22LR-2-hTkl0dF8f4XPX9-8aeQoJIZY%22+Version%3D%222.0%22+IssueInstant%3D%222019-04-06T18%3A15%3A10Z%22%3E%3Csaml%3ANameID+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aassertion%22%3Ebasile.test%40xxxxxxxx.fr%3C%2Fsaml%3ANameID%3E%3Csamlp%3ASessionIndex%3EST-2-zcTYW858ldyFLPeC9MZ2gL-fGoMvps641230%3C%2Fsamlp%3ASessionIndex%3E%3C%2Fsamlp%3ALogoutRequest%3E[!http]
18:15:14.642363 IP (tos 0x0, ttl 56, id 61227, offset 0, flags [DF], proto TCP (6), length 52)

The format of LogoutRequest seems to be correct

logoutRequest= <samlp:LogoutRequest+ xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"+ ID="LR-2-hTkl0dF8f4XPX9-8aeQoJIZY"+Version="2.0"+ IssueInstant="2019-04-06T18:15:10Z"> saml:NameID+xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">basile.test@xxxxxxxx.fr</saml:NameID

ST-2-zcTYssssfsfsf2gL-fGefefefoMvps641230 => There is NOTHING in the PHPCAS debug concerning this posts. Note : The PHPCAS Debug is correct when there is a logout initiated DIRECTLY by the client. 6170 .START (2019-04-08 17:17:40) phpCAS-1.3.6 ****************** [CAS.php:468] 6170 .=> phpCAS::client('3.0', 'cas.xxxxxxxxx.fr', 443, '/cas') [AppService.php:275] 6170 .| => CAS_Client::__construct('3.0', false, 'cas.xxxxxxxxxxxxx.fr', 443, '/cas', true) [CAS.php:359] 6170 .| | Session is not authenticated [Client.php:938] 6170 .| <= '' 6170 .<= '' 6170 .=> phpCAS::setFixedServiceURL('https://extranet.xxxxxxxxxxx.fr/cloud/index.php/apps/user_cas/login') [AppService.php:287] 6170 .<= '' 6170 .=> phpCAS::setCasServerCACert('/home/httpd/vhosts/extranet.xxxxxxxxxx.fr/httpsdocs/cloud/apps/user_cas/WildCard_DLT_public_with_intermediate.crt') [AppService.php:293] 6170 .<= '' 6170 .=> phpCAS::logout(array ( 'url' => 'https://extranet.xxxxxxxxxxxxxx.fr/cloud/',)) [UserHooks.php:380] 6170 .| => CAS_Client::logout(array ( 'url' => 'https://extranet.xxxxxxxxxxxx.fr/cloud/',)) [CAS.php:1450] 6170 .| | Prepare redirect to : https://cas.xxxxxxxxxxx.fr/cas/logout?url=https%3A%2F%2Fextranet.xxxxxxxxxxxxxx.fr%2Fcloud%2F [Client.php:1696] 6170 .| | Destroying session : n7fsi7jucvas5k67s1fjv559s5 [Client.php:1698] 6170 .| | Session terminated [Client.php:1702] 6170 .| | exit() 6170 .| | - 6170 .| - => Is SLO supposed to be operationnel with user_cas ? => If yes, what am I doing wrong ? Thks & Rgds

[Baso123]

Hi,

It appears that CAS Client response is 405 Method not allowed [09/Apr/2019:00:05:57 +0200] "POST /cloud/index.php/apps/user_cas/login HTTP/1.1" **405** - "-" "Apache-HttpClient/4.5.6 (Java/11.0.2)"

CAS Client server is not blocking post. For exemple : [09/Apr/2019:01:25:31 +0200] "POST /cloud/index.php/heartbeat HTTP/1.1" **200** - "-" "curl/7.29.0"

I don't see any rewrite concerning /cloud/index.php/apps/user_cas/login

Any ideas ?

Thks

[Baso123]

Hi,

According to code in appinfo/routes.php, there is no POST available for /login

$application->registerRoutes($this, array(
    'routes' => [
        array('name' => 'settings#saveSettings', 'url' => '/settings/save', 'verb' => 'POST'),
        array('name' => 'authentication#casLogin', 'url' => '/login', 'verb' => 'GET')
    ]
));

I believe it explains why POST to /cloud/index.php/apps/user_cas/login returns a 405.

I am missing something somewhere !

Thanks

[Baso123]

Hi,

As a workaroud, I am trying to set up FRONT_CHANNEL (ie callback)

/apps/user_cas/login?callback=jQueryxxxx33104204689&logoutRequest=eJx9kF9PgzA(...) is correctly received by the client but use_cas returns "message":"phpCAS has been successfully initialized"

see below log

{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:19+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"token 9f56104fc6cc6bbf63649ea91cd38080571fd699fafbd2b71922e5d4e3a17dfd1d2572422866b23e7fe9af99e65ca8c6b2d3bf38adad3db2393769f9c3803dfe with token id 41418 found, validating"}
{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:19+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"token 9f56104fc6cc6bbf63649ea91cd38080571fd699fafbd2b71922e5d4e3a17dfd1d2572422866b23e7fe9af99e65ca8c6b2d3bf38adad3db2393769f9c3803dfe with token id 41418 found, validating"}
{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:19+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"token 9f56104fc6cc6bbf63649ea91cd38080571fd699fafbd2b71922e5d4e3a17dfd1d2572422866b23e7fe9af99e65ca8c6b2d3bf38adad3db2393769f9c3803dfe with token id 41418 found, validating"}
{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:20+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"user_cas","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"phpCAS has been successfully initialized."}
{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:20+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"user_cas","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"The Redirect URL Parameter in Login Action was: https:\/\/extranet.XXXXXXXXXXXXXX.fr\/cloud\/"}
{"reqId":"XKyV@zxpHRsUN8s-OodQJgAAAAg","level":0,"time":"2019-04-09T12:54:20+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"user_cas","method":"GET","url":"\/cloud\/index.php\/apps\/user_cas\/login?callback=jQuery33104204689432693226_1554814451922&logoutRequest=eJx9kF9PgzAUxb%2FK0vdiYUylAeIW9kAEzWBpjG8FqsNAC9zyx29v52IyffD13HvO%2Bd3rA2%2BbjibqXY06E%2F0oQK%2BWtpFAvycBGgdJFYcaqOStAKpLmm%2FThDoWod2gtCpVg1ZxFKAkww7BY70hLOsZ01OKo2Q%2FF3d9%2FWE%2FoxUTA9RKBshYjQNgFLEEzaU2ErE9TFxMvKPt0o1Lbe8Vhf6ZgT6Z3ji6ovofigOIQZsiFBZmpRGWNkc9VGLSvBFSg%2FU2%2BDdXyZeajuYCznyxrMQS5kfsOJgXj7vPpbln6eHE2pdytwzztjrs16d56uDWtZ01uWT9sf%2BIvx4bfgGsP31T&_=1554814451923","message":"phpCAS user is already authenticated against owncloud."}
{"reqId":"XKyV-DxpHRsUN8s-OodQJwAAAAg","level":0,"time":"2019-04-09T12:54:20+00:00","remoteAddr":"92.170.234.118","user":"basile.test@xxxxxxxxxxx.fr","app":"OC\\User\\Session::validateToken","method":"GET","url":"\/cloud\/","message":"token 9f56104fc6cc6bbf63649ea91cd38080571fd699fafbd2b71922e5d4e3a17dfd1d2572422866b23e7fe9af99e65ca8c6b2d3bf38adad3db2393769f9c3803dfe with token id 41418 found, validating"}

I am missing something somewhere but I am running out of ideas.

Some suggestions would be greatly appreciated.

Thks

[felixrupp]

Hi @Baso123,

I don’t have significant knowledge of the logout features of the CAS server, because at my company, we don’t use it. I implemented the logout-handling of the phpCAS library, it will be automatically enabled, if you set the "Logout Servers" option in the admin panel, but I could never really test it.

Please report back, if this solves your issue or not.

Regards, Felix

[pmayer]

Hi @felixrupp,

I think this is still not working. A SLO Request is a POST to …/index.php/apps/user_cas/login with this content:

<samlp:LogoutRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="[RANDOM ID]"
    Version="2.0"
    IssueInstant="[CURRENT DATE/TIME]">
    <saml:NameID>@NOT_USED@</saml:NameID>
    <samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex>
</samlp:LogoutRequest>

So the session identified by the value in SessionIndex should be destroyed. Is this handled in the current version?

Regards, Philipp

[felixrupp]

@pmayer user_cas handles logout requests with the provided function handleLogoutRequests in phpCAS library. The function is called whenever the user_cas app is initialized, so it should work when calling …/index.php/apps/user_cas/login. Additionally, to let this feature work, "Disable CAS logout" in user_cas "Basic" settings panel must not be checked and you have to specify the servers (e.g. your ownCloud/Nextcloud instance URL) in "'Logout Servers"! The "Logout Servers" option will be optional in the upcoming 1.7.2 release.

See phpCAS Client.php L1729 for a reference of the function.

[felixrupp]

@pmayer Release 1.7.2 is now officially online.

[alexisberindei]

Hello @felixrupp.

There is something weird.. How it supposed to handle the request with an HTTP method "POST" with only allowed method GET on …/index.php/apps/user_cas/login ?

The incomming callback request is POST with BACK_CHANNEL (XML data in body) and GET with FRONT_CHANNEL (/apps/user_cas/login?callback=jQuery3410058233537850423955_1571689840065&logoutRequest=eJx9kFFPgzAUhf8K...)

Am I wrong ?

Regard, Alexis.

[alexisberindei]

In order to trace problem, I made another route which accept POST request.

\apps\user_cas\appinfo\routes.php

/** @var \OCA\UserCAS\AppInfo\Application $application */
$application = new \OCA\UserCAS\AppInfo\Application();
$application->registerRoutes($this, array(
    'routes' => [
        array('name' => 'settings#saveSettings', 'url' => '/settings/save', 'verb' => 'POST'),
        array('name' => 'authentication#casLogin', 'url' => '/login', 'verb' => 'GET'),
        array('name' => 'authentication#casLogout', 'url' => '/logout', 'verb' => 'POST')
    ]
));

\apps\user_cas\lib\Controller\AuthenticationController.php

/**
* Logout method.
*
* @NoAdminRequired
* @NoCSRFRequired
* @PublicPage
* @UseSession
* @OnlyUnauthenticatedUsers
* 
*/
public function casLogout()
{
    if (!$this->appService->isCasInitialized()) {

        try {

            $this->appService->init();
        } catch (PhpUserCasLibraryNotFoundException $e) {

            $this->loggingService->write(\OCA\UserCas\Service\LoggingService::FATAL, 'Fatal error with code: ' . $e->getCode() . ' and message: ' . $e->getMessage());

            header("Location: " . $this->appService->getAbsoluteURL('/'));
            die();
        }
    }    
}

phpcas_debug.log

8DEE .START (2019-10-21 21:50:05) phpCAS-1.3.7 ****************** [CAS.php:475]
8DEE .=> phpCAS::client('3.0', '<cas.domain>', 443, '/cas') [AppService.php:286]
8DEE .|    => CAS_Client::__construct('3.0', false, '<cas.domain>', 443, '/cas', true) [CAS.php:366]
8DEE .|    |    Session is not authenticated [Client.php:938]
8DEE .|    <= ''
8DEE .<= ''
8DEE .=> CAS_Client::handleLogoutRequests(true, array (  0 => '<clientIP>',  1 => '<clientIP>',  2 => '<clientIP>',)) [CAS.php:1298]
8DEE .|    Logout requested [Client.php:1744]
8DEE .|    SAML REQUEST: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-39-SADwTIP71MTrlHkupVuZ0tmS" Version="2.0" IssueInst
ant="2019-10-21T23:50:03Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">user@domain</saml:NameID><samlp:SessionIndex>ST-45-
GCJW2HQw-iGnpwwzCt8pV8Xi3O4-CTOVHLP15005</samlp:SessionIndex></samlp:LogoutRequest> [Client.php:1746]
8DEE .|    Client: <client_hostname>/<client_ip> [Client.php:1754]
8DEE .|    Allowed client '<clientIP>' matches, logout request is allowed [Client.php:1761]
8DEE .|    Logout command allowed [Client.php:1777]
8DEE .|    Ticket to logout: ST-45-GCJW2HQw-iGnpwwzCt8pV8Xi3O4-CTOVHLP15005 [Client.php:1793]
8DEE .|    Session id: 319e782f5cd0779d34986ad9d9ec84f8151baa844aaf86ece7ad2ee7f306f7bb [Client.php:1806]
8DEE .|    Session 319e782f5cd0779d34986ad9d9ec84f8151baa844aaf86ece7ad2ee7f306f7bb destroyed [Client.php:1822]
8DEE .|    exit()
8DEE .| 

As you can see, the request is now correctly handled, session looked up and destroyed. Everything should work now but nope. Session seems still there because I can continue navigation on current session in Nextcloud :(

[felixrupp]

Thanks for your input, I will review your solution this week!

[alexisberindei]

I'm still on the session destroy problem a I found something weird. The handleLogoutRequest confirm the destruction of the a session (looked up from cas ticket id i supposed) but navigation on Nextcloud still work.

The only way the navigation is still working is because the right session is still present. When I manualy logout from Nextcloud I get a different sessionid in debug cas log file..

Example: Session ID : 319e782f5cd0779d34986ad9d9ec84f8151baa844aaf86ece7ad2ee7f306f7bb

8DEE .=> CAS_Client::handleLogoutRequests(true, array (  0 => '<clientIP>',  1 => '<clientIP>',  2 => '<clientIP>',)) [CAS.php:1298]
8DEE .|    Logout requested [Client.php:1744]
8DEE .|    SAML REQUEST: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-39-SADwTIP71MTrlHkupVuZ0tmS" Version="2.0" IssueInst
ant="2019-10-21T23:50:03Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">user@domain</saml:NameID><samlp:SessionIndex>ST-45-
GCJW2HQw-iGnpwwzCt8pV8Xi3O4-CTOVHLP15005</samlp:SessionIndex></samlp:LogoutRequest> [Client.php:1746]
8DEE .|    Client: <client_hostname>/<client_ip> [Client.php:1754]
8DEE .|    Allowed client '<clientIP>' matches, logout request is allowed [Client.php:1761]
8DEE .|    Logout command allowed [Client.php:1777]
8DEE .|    Ticket to logout: ST-45-GCJW2HQw-iGnpwwzCt8pV8Xi3O4-CTOVHLP15005 [Client.php:1793]
8DEE .|    Session id: **319e782f5cd0779d34986ad9d9ec84f8151baa844aaf86ece7ad2ee7f306f7bb** [Client.php:1806]
8DEE .|    Session 319e782f5cd0779d34986ad9d9ec84f8151baa844aaf86ece7ad2ee7f306f7bb destroyed [Client.php:1822]
8DEE .|    exit()
8DEE .| 

Session ID : hra2kaqec1iokq6q7q58dq92ks

6D59 .=> phpCAS::logout(array (  'service' => '<hostname>',)) [UserHooks.php:396]
6D59 .|    => CAS_Client::logout(array (  'service' => '<hostname>',)) [CAS.php:1470]
6D59 .|    |    Prepare redirect to : https://<cas hostname>/cas/logout?service=https%3A%2F%2F<client hostname>%2F [Client.php:1690]
6D59 .|    |    Destroying session : hra2kaqec1iokq6q7q58dq92ks [Client.php:1692]
6D59 .|    |    Session terminated [Client.php:1696]
6D59 .|    |    exit()
6D59 .|    |    -

The first sessionid look like a sha256 hash ?

[felixrupp]

Hi @Baso123 @pmayer @alexisberindei

this should be fixed with Release 1.8.0.

Please report back if it works or not!

Thanks for your help, have a great christmas,

Felix

[renx123]

Hi!

I seem to be having the same problem but with Nextcloud 16.0.7.1 and user_cas 1.8

Everything looks good with phpcas.log 908F .=> CAS_Client::handleLogoutRequests(true, array ( 0 => 'host1', 1 => 'host2',)) [CAS.php:1298] 908F .| Logout requested [Client.php:1755] 908F .| SAML REQUEST: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-11897-wQxotb9FY4-8egNq" Version="2.0" IssueInstant="2020-01-28T22:23:51Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-13825-lioepfxlIZAb3wratS8Y6p......</samlp:SessionIndex></samlp:LogoutRequest> [Client.php:1757] 908F .| Client: host/IP [Client.php:1765] 908F .| Allowed client 'host1' does not match [Client.php:1778] 908F .| Allowed client 'host2' matches, logout request is allowed [Client.php:1772] 908F .| Logout command allowed [Client.php:1788] 908F .| Ticket to logout: ST-13825-...... [Client.php:1804] 908F .| Session id: cca45049f759dc80d8f92dda513.... [Client.php:1817] 908F .| Session cca45049f759dc80d8f92dda5139df..... destroyed [Client.php:1833] 908F .| exit() Under apache logs it's possible to see that POST request is made to nextcloud: ` POST /apps/user_cas/login HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 473 Host: host Connection: Keep-Alive User-Agent: Apache-HttpClient/4.5.6 (Java/1.8.0_232) Cookie: __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc38h.....9d895; oc_sessionPassphrase=DxTws%.....2Fwwnuosb1Zu5HfO1so; user_cas_enforce_authentication=0 Accept-Encoding: gzip,deflate

--366a7748-C-- logoutRequest=%3Csamlp%3ALogoutRequest+xmlns%3Asamlp%3D%22.............E%3C%2Fsamlp%3ALogoutRequest%3E --366a7748-F-- HTTP/1.1 200 OK `

Problem is that session is not terminated and it's possible to continue browsing Nextcloud interface like reported before. Have set debug mode on but not seeing enything about logout request under nextclout.log, even though from apache logs it seems the request is going towards nextcloud. Are there any more suggestions howto debug this?

[felixrupp]

Hi @renx123

that’s actually helpful, thanks. Can you please also post the according part of the nextcloud.log file? You may have to fix the log-settings in your config/config.php file, so everything I need to see gets logged. Please redo all the steps you did before, so all possible errors get logged.

Add the following settings to your config.php for the log to work properly:

'loglevel' => 0,
'log_type' => 'file',
'logfile' => '/var/log/nextcloud.log',

Thanks and Regards, Felix

[renx123]

I have added the log parameters. What is strange that the log file is not catching the POST request from CAS even it can be traced from apache logs. Everything else is showing in nextcloud log: CAS logins, logout request when pressing logout button etc.

I did try to test to send the same request through postman to see if this gets the log triggered. Sending the same logout request with RAW body the log was also quiet. When I cut the message and send only "test" text it get's response in log:

{"reqId":"XjGEeMFi31zAzrGcyDZ4xAAAAFA","level":0,"time":"2020-01-29T13:11:20+00:00","remoteAddr":"IP","user":"--","app":"user_cas","method":"POST","url":"\/apps\/user_cas\/login","message":"phpCAS has been successfully initialized.","userAgent":"PostmanRuntime\/7.21.0","version":"16.0.7.1"}

Tried also for testing to send it as content-type: x-www-form-urlencoded (this is what CAS used) and got the same respone like before:

[felixrupp]

Hi @renx123

thanks for your input, I’m currently debugging this. Will let you know when I found the error!

Regards, Felix

[pingou2712]

ahahah i don't see this post... i pull you a fix for that =) https://github.com/felixrupp/user_cas/pull/81

Regards, Vincent