CAS logout

[garyfisher]

I'm evaluating CAS right now and it seems working except one thing. When I logout in one web application I'm still logged in the second web application. I perform logout this way
1) invalidate session
2) redirect to CAS logout servlet

It looks like I'd need to invalidate a session in the second application (but how)? And another thing, I'm not able to find a cookie which should indicate previous login as stated in reference doc on page 39:

If the
user presents a session cookie which indicates they've previously logged on, they will not be prompted to
login again

Thanks

[Luke Taylor]

And another thing, I'm not able to find a cookie which should indicate previous login as stated in reference doc on page 39:

If the
user presents a session cookie which indicates they've previously logged on, they will not be prompted to
login again

Thanks

This is referring to the login to the CAS server and the ticket-granting cookie which it issues to indicate that a user has already authenticated. The CAS logout should explicitly remove it. You may not see any jsessionid cookies if you're using SSL, for example.

I think the problem is that, even if you have destroyed the CAS cookie, the second web application will still have a valid cached Acegi authentication token and it will happily continue using that unless you explicitly make a call to invalidate the session there too.

"Single sign-out" is mentioned in the CAS 3 information but I haven't looked to see how it works.

Luke.

[Ben Alex]

There is a lot of discussion on the CAS list about problems with logging out under CAS 2.x. The key problem, IIRC, is notifying all CAS-aware applications that a given user has performed a single sign out.

Which CAS version are you using? Have you considered these technical issues with logging out?

[garyfisher]

I'm using server version 2.0.12. How are the webapps notified? Do I have to implement some special "something" (servlet, controller, whatever..)??

Thanks, I'll try to search their mail archive

[mazir]

While looking for a solution to the problem of single sign out I ran across the following:

http://gcx1.mygcx.org/cas/CCCIChanges.html

They have created a version of CAS which stores all the client apps which have requested authorization, and then notifies each of them on logout so that they can perform any logout actions themselves.

I looked through their code and it seems pretty straightforward.

It would be great if we could integrate this option in ACEGI, so that when setting up the cas related beans we could state that we want this behavior supported.
I'm not really sure what changes this entails, as I don't know the ACEGI source code very well, any pointers would be great.

Cheers.

[Scott Battaglia]

I'm using server version 2.0.12. How are the webapps notified? Do I have to implement some special "something" (servlet, controller, whatever..)??

Thanks, I'll try to search their mail archive

In CAS 2.0.x, there is no single sign out mechanism. Applications are not notified that the CAS single sign on session has ended. Logging out effectively ends your ability to use single sign on to authenticate to other applications.

[Scott Battaglia]

"Single sign-out" is mentioned in the CAS 3 information but I haven't looked to see how it works.

Currently CAS 3 supports a method whereby you can register a service (in the Services list) with a specific callback mechanism to single sign out. This is currently implemented to allow the clients of the CCCI version of CAS 2 to continue functioning without change and still allow us to come up with a CAS 3 single sign out protocol. At this moment in time, there is no "CAS 3 single signout callback" but we can add one. We are still discussing the best way to handle it (we may just adapt the CCCI protocol). If we adopt the protocol, then the callback class would be removed.

Dmitriy and I are tasked with CAS3 compatibility with Acegi so once we work out the mechanism by which its done, we will be sure to integrate it with Acegi.

[mazir]

Dmitriy and I are tasked with CAS3 compatibility with Acegi so once we work out the mechanism by which its done, we will be sure to integrate it with Acegi.

Is there some general timeline for CAS3 and Acegi integration. Do you think it will be months or years?
Thanks.

[Scott Battaglia]

Technically, CAS 3 right now would work with Acegi as long as you don't want any of the new CAS 3 features.

We're looking at releasing CAS 3 as final in June. I would expect support in Acegi not long after that (especially since once it goes RC none of the protocols will change. I'll know more information as we get closer to the CAS 3 deadline.

[mazir]

Thanks for the info.
Cheers.