CAS OIDC logout issue
212 views
Skip to first unread message
Anitha C
Apr 11, 2022, 10:14:18 PM4/11/22
to CAS Community
We have CAS v6.5.0 deployed to do delegated authentication to a generic OIDC provider.
The configuration also includes the logout URL to the OIDC provider, so that the user is logged out of the OIDC provider on logging out of the application and CAS.
On successful authentication, the PAC4j user profile is saved along with the TST ticket in the ticket registry. So, when the user logs out, the user profile tied to the TST ticket is retrieved and the OIDC logout occurs.
However, if the TST expires before the user logs out, there is no user profile found for the session, and so OIDC logout never happens in that case.
What is the ideal/recommended timeout value for a transient session ticket in a CAS server that is configured to do delegated authentication?
Are there any other configurations to store/retrieve the OIDC user profile besides in TST?
Appreciate any suggestions on handling this use case.
Thanks.
Ray Bon
Apr 12, 2022, 11:55:29 AM4/12/22
to cas-...@apereo.org
Anitha,
What you are asking is in the realm of single logout. Single logout is messy business. It will never work the way you, or anyone else, thinks it will.
My only hint would be to set the TST life time to the same as, or just longer, than OP session length. This will make the cas session, in general, longer.
It will of course get more complicated if you add more providers or other sources of authentication.
Something else to think about is how this change will affect other applications you support.
Ray
On Mon, 2022-04-11 at 14:39 -0700, Anitha C wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
Anitha C
Apr 12, 2022, 10:22:56 PM4/12/22
to CAS Community, Ray Bon
Thanks Ray, that makes sense.
For a single provider, increasing the TST lifetime to match provider's session length seems like a possible solution.
Reply all
Reply to author
Forward
0 new messages