Reputation: 1087
Getting a HTTP 404 CAS Server SingleLogoutService
I am testing the SLO aka Single Logout Service for HTTP Redirect SAML 2.0 binding. I am able to SSO successfully but I need a HTTP Redirect endpoint on CAS to point to from my SAML-SP for SLO. The endpoint I am getting a 404 is http://cas-server:8080/idp/profile/SAML2/Redirect/SLO.
For SSO, the endpoint http://cas-server:8080/idp/profile/SAML2/Redirect/SSO is working fine.
My CAS version is 5.0.6.
Here is a snippet from my Idp metadata xml with the endpoints for SLO and SSO :
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cas-server:8080/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cas-server:8080/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://cas-server:8080/idp/profile/SAML2/POST-SimpleSign/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://cas-server:8080/idp/profile/SAML2/SOAP/SLO"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="http://cas-server:8080/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://cas-server:8080/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="http://cas-server:8080/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://cas-server:8080/idp/profile/SAML2/Redirect/SSO"/>
Please help me understand if HTTP Redirect is supported for SLO scenarios.
TIA.
Upvotes: 0
Views: 311
Answers (1)
Reputation: 4318
Based on the 5.0.x documentation, the following endpoints are supported:
/cas/idp/profile/SAML2/Redirect/SSO
/cas/idp/profile/SAML2/POST/SSO
/cas/idp/profile/SAML2/POST/SLO
/cas/idp/profile/SAML2/Unsolicited/SSO
If you see the 5.1.x documentation, the endpoints are as follows:
/cas/idp/profile/SAML2/Redirect/SSO
/cas/idp/profile/SAML2/POST/SSO
/cas/idp/profile/SAML2/POST/SLO
/cas/idp/profile/SAML2/Redirect/SLO
/cas/idp/profile/SAML2/Unsolicited/SSO
/cas/idp/profile/SAML2/SOAP/ECP
So at a minimum, you need to be on 5.1.x, or better yet, latest patch release of 5.3.x if you have to stay on Java 8.
Upvotes: 1
Related Questions
- not recognized cas ticket
- Cannot resolve 'setCasServerUrlPrefix' in 'SingleSignOutFilter'
- Can't make CAS Single Sign Out work with Spring Security
- Cas Client Ticket Vlidation failed with error No subject alternative DNS name matching cas URL found
- The CAS server returned no response
- Exception when accessing CAS login page deployed in JBoss
- CAS single logout callback hits 403(forbidden)
- CAS HTTP 401 - Authentication Failed: Bad credentials
- CAS single sign out not working
- CAS Single Sign Out requests being ignored by JSP+Spring