Announcement Announcement Module
Collapse
No announcement yet.
CAS logout Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS logout

    I'm evaluating CAS right now and it seems working except one thing. When I logout in one web application I'm still logged in the second web application. I perform logout this way
    1) invalidate session
    2) redirect to CAS logout servlet

    It looks like I'd need to invalidate a session in the second application (but how)? And another thing, I'm not able to find a cookie which should indicate previous login as stated in reference doc on page 39:
    If the
    user presents a session cookie which indicates they've previously logged on, they will not be prompted to
    login again
    Thanks

  • #2
    Re: CAS logout

    Originally posted by garyfisher
    And another thing, I'm not able to find a cookie which should indicate previous login as stated in reference doc on page 39:
    If the
    user presents a session cookie which indicates they've previously logged on, they will not be prompted to
    login again
    Thanks
    This is referring to the login to the CAS server and the ticket-granting cookie which it issues to indicate that a user has already authenticated. The CAS logout should explicitly remove it. You may not see any jsessionid cookies if you're using SSL, for example.

    I think the problem is that, even if you have destroyed the CAS cookie, the second web application will still have a valid cached Acegi authentication token and it will happily continue using that unless you explicitly make a call to invalidate the session there too.

    "Single sign-out" is mentioned in the CAS 3 information but I haven't looked to see how it works.

    Luke.

    Comment


    • #3
      There is a lot of discussion on the CAS list about problems with logging out under CAS 2.x. The key problem, IIRC, is notifying all CAS-aware applications that a given user has performed a single sign out.

      Which CAS version are you using? Have you considered these technical issues with logging out?

      Comment


      • #4
        I'm using server version 2.0.12. How are the webapps notified? Do I have to implement some special "something" (servlet, controller, whatever..)??

        Thanks, I'll try to search their mail archive

        Comment


        • #5
          While looking for a solution to the problem of single sign out I ran across the following:

          http://gcx1.mygcx.org/cas/CCCIChanges.html

          They have created a version of CAS which stores all the client apps which have requested authorization, and then notifies each of them on logout so that they can perform any logout actions themselves.

          I looked through their code and it seems pretty straightforward.

          It would be great if we could integrate this option in ACEGI, so that when setting up the cas related beans we could state that we want this behavior supported.
          I'm not really sure what changes this entails, as I don't know the ACEGI source code very well, any pointers would be great.

          Cheers.

          Comment


          • #6
            Originally posted by garyfisher
            I'm using server version 2.0.12. How are the webapps notified? Do I have to implement some special "something" (servlet, controller, whatever..)??

            Thanks, I'll try to search their mail archive
            In CAS 2.0.x, there is no single sign out mechanism. Applications are not notified that the CAS single sign on session has ended. Logging out effectively ends your ability to use single sign on to authenticate to other applications.

            Comment


            • #7
              Re: CAS logout

              Originally posted by Luke
              "Single sign-out" is mentioned in the CAS 3 information but I haven't looked to see how it works.
              Currently CAS 3 supports a method whereby you can register a service (in the Services list) with a specific callback mechanism to single sign out. This is currently implemented to allow the clients of the CCCI version of CAS 2 to continue functioning without change and still allow us to come up with a CAS 3 single sign out protocol. At this moment in time, there is no "CAS 3 single signout callback" but we can add one. We are still discussing the best way to handle it (we may just adapt the CCCI protocol). If we adopt the protocol, then the callback class would be removed.

              Dmitriy and I are tasked with CAS3 compatibility with Acegi so once we work out the mechanism by which its done, we will be sure to integrate it with Acegi.

              Comment


              • #8
                Re: CAS logout

                Originally posted by Scott Battaglia
                Dmitriy and I are tasked with CAS3 compatibility with Acegi so once we work out the mechanism by which its done, we will be sure to integrate it with Acegi.
                Is there some general timeline for CAS3 and Acegi integration. Do you think it will be months or years?
                Thanks.

                Comment


                • #9
                  Technically, CAS 3 right now would work with Acegi as long as you don't want any of the new CAS 3 features.

                  We're looking at releasing CAS 3 as final in June. I would expect support in Acegi not long after that (especially since once it goes RC none of the protocols will change. I'll know more information as we get closer to the CAS 3 deadline.

                  Comment


                  • #10
                    Thanks for the info.
                    Cheers.

                    Comment


                    • #11
                      In our meeting yesterday I just found out that we're moving Single Signout to post CAS 3.0. It will remain in the sandbox but it will not be part of the official distribution (I'm hoping i can push it out quickly after if possible.)

                      Comment


                      • #12
                        any updates on Single Sign Out?

                        Comment


                        • #13
                          Go to the CAS site

                          http://www.ja-sig.org/products/cas/

                          and search for "signout"

                          Comment


                          • #14
                            Thank you very much Luke.

                            Here's an interesting post I found by following your lead:

                            VT CAS Server Software Architecture

                            Cheers!

                            Comment


                            • #15
                              By following the CCCI recommendations, I was able to implement a very effective signoff from our 2.X CAS implementation. The key feature I had to add was a new ACEGI filter that verified the user was still enabled b4 proceeding with the rest of the ACEGI chain. The CCCI recommendation suggested detecting a "-" infront of the service ticket to signal the app to disable the user.
                              So, when an app logs out, CAS sends a logout command to all logged in apps and they mark that user as disabled. When the user comes back, the login enabled filter detects they are disabled and invalidates the session.

                              I can provide more details if needed but it works great for us.

                              Comment

                              Working...
                              X