Changing responses to SAML2 logout requests

[Tomi Karlstedt]

Hi,

Our CAS implements delegated logins as a SAML2 SP. After implementing our own logout action to circumvent the bug with delegated authentication logout requests and JPA ticket registry (https://groups.google.com/u/1/a/apereo.org/g/cas-user/c/DhrHL2alj08), everything seems to be working on our end. However we found out that CAS responds to IDP logout requests with a HTTP 302 redirect to the login page instead of returning a proper SAML2 logout success response to the caller.

This does not make sense in our case where the IDP makes front channel logout requests with ajax to all signed-in SPs. The IDP expects a SAML2 logout response so it shows our SP logout as failed when CAS returns HTTP 302.

Is the logout response somehow configurable? SP should return a logout response to the IDP per the SAML2 protocol in any case.

Tomi