SLO and SSO using Mod_auth_cas

[Ramakrishna G]

Hello,

I am using Mod_auth_cas for reverse proxy to my cas server. How do I achive slo and sso using mod_auth_cas? Also when I logout I am still able to access my application without authentication. Is this the way mod_auth_cas works?

Thanks

Ramakrishna G

[David Curry]

What do you mean when you say you are "using mod_auth_cas for reverse proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply a way to control access to content on an Apache web server using CAS authentication. Think of it as an alternative to HTTP Basic Authentication. It seems like this was explained  in an earlier thread; if you want to spread the load across multiple CAS servers, you should just stick a load balancer (NGINX, F5, etc.) in front of them. See, for example, the picture here https://apereo.github.io/cas/development/planning/High-Availability-Guide.html.

As for logging out, mod_auth_cas does not support SLO. This is documented in the README file under "Known Limitations". If you really want to implement logout with mod_auth_cas, you would somehow have to arrange for the logout process (which mod_auth_cas is completely unaware of, since it doesn't have its own "logout" link and it doesn't support SLO) to delete the "MOD_AUTH_CAS_S" cookie from the user's browser. You MIGHT be able to make use of the "logoutUrl" property in the service registry (https://apereo.github.io/cas/development/installation/Logout-Single-Signout.html#service-endpoint-for-logout-requests) to accomplish this, with the page that URL points do taking care of deleting the cookie.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com.

[Ramakrishna G]

Hey David,

Firstly thanks for your response and clarifying few things. My query to you now is

Does logoutUrl property support SLO? If so, which all cookie should I be deleting?

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com.

[David Curry]

I'm not sure what you mean by the logoutUrl "supporting" SLO. If you mean will SLO suddenly start working just because you put a value in that property, then the answer is no.

The logoutUrl property is exactly what the documentation says it is -- a way to let an application receive a logout request from the CAS server when the application is using a CAS client that doesn't implement logout requests itself (in this case, mod_auth_cas). It's completely up to you to actually implement the logout process.

So, since "logging out" of mod_auth_cas involves manually deleting the "MOD_AUTH_CAS_S" cookie from the browser, then I would suppose you could make your logoutUrl point to "https://your.web.server/logout.html" or something, and make logout.html contain some JavaScript to delete the cookie:

<html>

<head></head>

<body>

  <script>document.cookie = 'MOD_AUTH_CAS_S=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';</script>

  <p>Goodbye!</p>

</body>

</html>

Note that the cookie is set relative to the path you secured with mod_auth_cas, so you should put the logout.html file in the same directory that you put your protected content in. This means that if you have multiple directories protected by mod_auth_cas on the same server, you'll need to put a logout.html into each one of them (or make the JavaScript smarter than what's shown above).

Note that mod_auth_cas itself DOES NOT know anything about the logoutUrl. This is basically a hack to get around the fact that mod_auth_cas does not implement logout.

--Dave

P.S. - I have not tried any of the above, so you may need to play with it a bit to get it to work.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9pD%3DC4t-THA6gX-V2Uh7yB8brVG0tk1sNYk0iZ-7nGtQ%40mail.gmail.com.