Help with redirecting user after terminating sessions
47 views
Skip to first unread message
Tanner
Apr 8, 2019, 3:23:24 PM4/8/19
to CAS Community
Hello,
We are using CAS 5.3.3 and delegating authentication to a 3rd party SAML2 identity provider. In this case, CAS is acting as a service provider to the identity provider. (https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html)
We are having a problem with terminating sessions and redirecting users back to the service that issued the logout request. There are 3 sessions: the application session, the CAS session, and the IdP session. It doesn't necessarily matter which order the sessions get terminated, but they all need to be terminated.
For example, here is what a desired logout flow might entail:
1. Click logout within application, which terminates the application session
2. Get redirected from the application to the CAS /logout URL, which terminates the CAS session
3. Get redirected to the 3rd party IdP, and terminate the IdP session
4. Get redirected back to the application login page that initially issued the logout request
We prefer to have a pure CAS configuration solution, meaning that we want all the configuration for this process to reside within CAS.
We have tried using cas.logout.followServiceRedirects=true, which will redirect us back to the application that initially issued the logout request, but it will stop there and not terminate the IdP session.
We have also tried using cas.logout.redirectUrl=<IdP logout URL> which will terminate all three sessions, but it will not redirect us back to the application that initially issued the logout request.
Using a combination of these two does not seem to work. It seems like followServiceRedirects takes precedence over redirectUrl.
We are doing this in a test environment, so there is no concern about breaking production.
Any help on this would be greatly appreciated. Please let me know if you need any additional information.
deejam
Apr 16, 2019, 1:47:05 PM4/16/19
to CAS Community
No one has any experience with the CAS logout flow when delegating authentication to a third party SAML IDP?
It seems like we basically need to preserve the value of the service parameter when passed in via /logout?service=https://app-that-uses-cas.example.com, and pass it to the third party idp so it can handle the redirect back to the app where the logout originated.
Or maybe we rethink it and switch to a model where logouts across all apps land on the same logout landing page.
Other thoughts?
It seems like we basically need to preserve the value of the service parameter when passed in via /logout?service=https://app-that-uses-cas.example.com, and pass it to the third party idp so it can handle the redirect back to the app where the logout originated.
Or maybe we rethink it and switch to a model where logouts across all apps land on the same logout landing page.
Other thoughts?
Thanks,
Majeed
Majeed
Alin Tomoiaga
Jul 21, 2021, 8:51:01 AM7/21/21
to CAS Community, deejam
I am also interested in this question. Have you found an answer?
Thanks.
Reply all
Reply to author
Forward
0 new messages