how does Single Log Out work?

[Yan Zhou]

Hello, 

I am under the impression that, if I type /cas/logout in browser, it logs me out of CAS, then, CAS goes through all services, look for LOGOUT_URL and LOGOUT_TYPE.

Any service has a LOGOUT_URL and LOGOUT_TYPE defined (e.g., Back Channel), CAS will POST to that URL. 

Is that how it works?  But, I do not see it happening.  I am running CAS 4.1.x overlay.

Thx!

Yan 

[Ray Bon]

Yan,

Single log out is on by default (this is the case in 5.x.), and the default conditions are: LOGOUT_URL is the one that was used during login, back channel is default LOGOUT_TYPE.

These log configs may help (they may be different in 4.x):

        <!-- DEBUG service status and logout process and a lot of details -->

        <AsyncLogger name="org.apereo.cas.logout" level="info" />

        <!-- INFO  Performing logout operations for [TGT-...]

                   [number] logout requests were processed

             DEBUG ST, principal and URL -->

        <AsyncLogger name="org.apereo.cas.logout.DefaultLogoutManager" level="info">

            <Filters>

                <ThresholdFilter level="INFO" onMatch="ACCEPT" onMismatch="NEUTRAL" />

                <RegexFilter regex="Captured logout request.*" onMismatch="DENY" />

            </Filters>

        </AsyncLogger>

        <!-- DEBUG Logout request will be sent to but does not print anything when login was through SAML 1.1 -->

        <AsyncLogger name="org.apereo.cas.logout.DefaultSingleLogoutServiceLogoutUrlBuilder" level="warn" />

        <!-- DEBUG preparing, processing and logout with URL and ST -->

        <AsyncLogger name="org.apereo.cas.logout.DefaultSingleLogoutServiceMessageHandler" level="debug" />

        <!-- DEBUG SAML logout payload -->

        <AsyncLogger name="org.apereo.cas.logout.SamlCompliantLogoutMessageCreator" level="warn" />

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca