CAS SLO, how does it terminate session on App if in a cluster environment?

66 views
Skip to first unread message

Yan Zhou

unread,
Apr 2, 2019, 10:53:14 AM4/2/19
to CAS Community
Hello!

CAS4, for SLO,  CAS server POSTs (back-channel SLO) to each service to perform SLO.  It works because there is a CAS client in the application that intercepts such SLO requests, it can find the app. session Id based on the CAS service ticket Id.  

Is there any requirement on the part of Application to support SLO in a cluster environment?  Our app. runs on multiple servers behind a load balancer, it uses CAS for authN.

The problem, I run into, is that when App /logout endpoint gets called, it does not know where App Session is, the load balancer may direct the app /logout on the server not having the application session.

Am I missing something? 

Thx!
Yan

Ray Bon

unread,
Apr 2, 2019, 11:22:24 AM4/2/19
to cas-...@apereo.org
Yan,

We use two different approaches. Some apps have a common session store like redis. Other applications are configured to propagate the log out to all members of the cluster, but this is only practical for a small cluster.

If your application runs in a container, maybe it can manage session replication (tomcat can do this).
Another, maybe less desirable option, perhaps the load balancer can look for /logout and broadcast to all members of the cluster.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Yan Zhou

unread,
Apr 4, 2019, 9:56:06 AM4/4/19
to CAS Community
Hi Ray,

Can you elaborate on your approach when session is stored in Redis?   You need the key to invalidate session in Redis, how does your CAS client know the Radis key?   Is that the same as the app. session id?

Thx!
Yan

Ray Bon

unread,
Apr 4, 2019, 2:49:26 PM4/4/19
to cas-...@apereo.org
Yan,

I modified CAS-php files provided by vendor. 

1. After ST is validated, app session id is written to redis with ST as key.
2. On logout, ST is used to get session id from redis (any host can do this).
3. Session id is sent to application's log out routine.

For this to work, all hosts must use a common session store (database, redis, network file system) or somehow share the session.
The application must regularly check the store for a valid session (vendor app does this for every page request).

Ray
Reply all
Reply to author
Forward
0 new messages