Hello,
We are having a problem with terminating sessions and redirecting users back to the service that issued the logout request. There are 3 sessions: the application session, the CAS session, and the IdP session. It doesn't necessarily matter which order the sessions get terminated, but they all need to be terminated.
For example, here is what a desired logout flow might entail:
1. Click logout within application, which terminates the application session
2. Get redirected from the application to the CAS /logout URL, which terminates the CAS session
3. Get redirected to the 3rd party IdP, and terminate the IdP session
4. Get redirected back to the application login page that initially issued the logout request
We prefer to have a pure CAS configuration solution, meaning that we want all the configuration for this process to reside within CAS.
We have tried using cas.logout.followServiceRedirects=true, which will redirect us back to the application that initially issued the logout request, but it will stop there and not terminate the IdP session.
We have also tried using cas.logout.redirectUrl=<IdP logout URL> which will terminate all three sessions, but it will not redirect us back to the application that initially issued the logout request.
Using a combination of these two does not seem to work. It seems like followServiceRedirects takes precedence over redirectUrl.
We are doing this in a test environment, so there is no concern about breaking production.
Any help on this would be greatly appreciated. Please let me know if you need any additional information.