CAS 5.1 Single Log Out Help

[Divyesh Prajapati]

Hi All,

I need help while logging out from my all applications.

I have implemented the sso in two spring web applications, tested its single log In functionality and it is working fine. But Single Log Out is not working properly. Here is the problem statement..

• Authentication
• Open browser and enter url for application A. 
• It will redirect you to CAS login page for authentication.
• Authentication happens, TGT is being generated, ST-1 is being generated and you are being redirected to the application A successfully.
• Open Application B by entering its url in new tab.
• It is being authenticated since it has the url matching the url pattern giving in service registry.
• ST-2 is being created for  application B under the same TGT.

• Logout
• Now I have Cas server on another machine, application A and B on each tabs.
• When I logout from application A, application A gets logged out.
• But application B is still logged in. I can access all pages. Only after logout from application B only, it is getting logged out.

What do I need to configure it in proper way ? Please help me to sort out the issue. 

Thanks and Regards,

Divyesh Prajapati

[Edward]

Hi Divyesh,

Which CAS version you used?

i have same use-case as you, maybe we can help each other out.

These are my steps:

1. in CAS service management for application A, go to "Logout" tab, and put your application A logout URL there

2. do the same for application B

3. when you execute logout from application A, you also need to trigger SSO logout to your CAS.

and specify where to redirect after SSO logout.

this can be done by preform redirect to CAS logout url: e.g. https://mycas-domain.com:8443/cas/logout?service=https://applicationA.com/logoutResult.

by doing this, you clear application A session, and also clear SSO session in CAS server, and redirect back to your applicationA logout result page

4. do the same for application B.

5. if user logout from application A, CAS will trigger POST message to all application, contain the message below:

<?xml version="1.0" encoding="UTF-8"?>

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-21-boFjgZjhbGxHprcU6ZFLoDUXtxztpJyswnr" Version="2.0" IssueInstant="2017-11-02T18:10:16Z">

   <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID>

   <samlp:SessionIndex>ST-33-e5eu5by9MnAsoZzdsmio-DOMAIN17086</samlp:SessionIndex>

</samlp:LogoutRequest>

please note that for both application A & B, i configured both as OAuth client

i am now stuck in the use-case where user logout from application A will also clear application B session.

- if i logout from application A, CAS successfully send POST message to aplpication B, but the problem is i dont know which session in application B to kill.

as the message above is only contain service ticket.

if both your App A & B is configured as CAS client, then you will be fine.

i have post the question here: https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/T9QAsDhrEDc