Need logout flow
89 views
Skip to first unread message
pradeep kumar
Feb 22, 2011, 2:16:23 AM2/22/11
to cas...@googlegroups.com
Hi,
We have enabled SSO in our application using the below components
Shibboleth SP-2.3
CASShib - 3.3.5a
Shibboleth IDP - 2.1.5
The login works fine. Can anyone tell me the logout flow and how it works.
Thanks
Pradeep GM
We have enabled SSO in our application using the below components
Shibboleth SP-2.3
CASShib - 3.3.5a
Shibboleth IDP - 2.1.5
The login works fine. Can anyone tell me the logout flow and how it works.
Thanks
Pradeep GM
bkoehm
Feb 22, 2011, 11:14:06 AM2/22/11
to casshib
Generally speaking, you'll want to hit the logout URL of one that
redirects to the logout URL of the other that then redirects back to a
"you have been signed out" page or whatever you'd like the user to
see.
CAS has a logout URL with a 'return URL' so you can make that 'return
URL' a Shibboleth logout URL (with a Shibboleth 'return URL' to your
sign-out page).
Look at the code in casshib-demo-app for logout.jsp.
redirects to the logout URL of the other that then redirects back to a
"you have been signed out" page or whatever you'd like the user to
see.
CAS has a logout URL with a 'return URL' so you can make that 'return
URL' a Shibboleth logout URL (with a Shibboleth 'return URL' to your
sign-out page).
Look at the code in casshib-demo-app for logout.jsp.
PradeepGM
Mar 14, 2011, 2:33:35 AM3/14/11
to casshib
Hi bkoehm,
Thanks for your reply. I have successfully configured logout for my
application. Now I would like to single logout all of my applications
registered with my CAS server. Does the base logout URI supports it or
else do I need to call any different URI? My current logout URL is
https://<mydomain>/casshib/shib/<app-name>/logout?service=<return-URL>
Thanks
Pradeep
Thanks for your reply. I have successfully configured logout for my
application. Now I would like to single logout all of my applications
registered with my CAS server. Does the base logout URI supports it or
else do I need to call any different URI? My current logout URL is
https://<mydomain>/casshib/shib/<app-name>/logout?service=<return-URL>
Thanks
Pradeep
bkoehm
Mar 14, 2011, 1:12:29 PM3/14/11
to casshib
This is a general CAS server question. I am not familiar with the
single sign out feature, but a quick google search found this:
https://wiki.jasig.org/display/CASUM/Single+Sign+Out
Single sign out for CAS means the CAS server will notify your apps
when someone logs out and then it is up to each app to do something
with that notification (like clear the session).
single sign out feature, but a quick google search found this:
https://wiki.jasig.org/display/CASUM/Single+Sign+Out
Single sign out for CAS means the CAS server will notify your apps
when someone logs out and then it is up to each app to do something
with that notification (like clear the session).
PradeepGM
Mar 17, 2011, 2:52:48 AM3/17/11
to casshib
Hi bkoehm,
Thanks for your reply. I have successfully configured two applications
with casshib and both are working fine. Now when I do logout from any
of the application the logout message is sent only to the first
registered application service. The second one is left out and the
logout message is not sent to that. Looks like the registered service
iterator not sending logout message to the second one. Please help.
Thanks
Pradeep
Thanks for your reply. I have successfully configured two applications
with casshib and both are working fine. Now when I do logout from any
of the application the logout message is sent only to the first
registered application service. The second one is left out and the
logout message is not sent to that. Looks like the registered service
iterator not sending logout message to the second one. Please help.
Thanks
Pradeep
PradeepGM
Mar 17, 2011, 5:57:44 AM3/17/11
to casshib
Hi bkoehm,
Sorry, I have verified and the logout message is sent only to the
service which has invoked the logout and the others are left out. How
to send the logout message to all the services registered.
Thanks
Pradeep
Sorry, I have verified and the logout message is sent only to the
service which has invoked the logout and the others are left out. How
to send the logout message to all the services registered.
Thanks
Pradeep
bkoehm
Mar 17, 2011, 10:33:21 AM3/17/11
to casshib
CASShib made no modifications to the single sign out part of the CAS
server code. If there is a single sign out bug, I won't be able to
help much, other than perhaps merging patches made to CAS post-3.4.2.
I suggest posting to the CAS mailing list and tell them what version
of CAS you are using (3.4.2?) and explain the single sign out problem
you are having. The CAS mailing lists are located here:
http://www.jasig.org/cas/mailing-lists. If they tell you it was a bug
fixed in a version later than 3.4.2, then I can merge it in for you.
server code. If there is a single sign out bug, I won't be able to
help much, other than perhaps merging patches made to CAS post-3.4.2.
I suggest posting to the CAS mailing list and tell them what version
of CAS you are using (3.4.2?) and explain the single sign out problem
you are having. The CAS mailing lists are located here:
http://www.jasig.org/cas/mailing-lists. If they tell you it was a bug
fixed in a version later than 3.4.2, then I can merge it in for you.
PradeepGM
Mar 18, 2011, 8:18:37 AM3/18/11
to casshib
Hi bkoehm,
As I said earlier I have two applications registered with CASSHIB and
when I have checked the code and flow I found out that a separate
CASTGC-{App-name} cookie (and also separate TGT) got created for both
the applications. Is that correct? From CAS documentation it seems
there should be only one TGT for single sign on to work with different
ST's. Is that the reason my single logout fails?
Thanks
Pradeep
As I said earlier I have two applications registered with CASSHIB and
when I have checked the code and flow I found out that a separate
CASTGC-{App-name} cookie (and also separate TGT) got created for both
the applications. Is that correct? From CAS documentation it seems
there should be only one TGT for single sign on to work with different
ST's. Is that the reason my single logout fails?
Thanks
Pradeep
bkoehm
Mar 18, 2011, 12:03:05 PM3/18/11
to casshib
Ah, yes, you are right -- there are different CAS sessions established
per-application. This was done because Shibboleth releases different
attributes depending on the service. I would have to investigate the
single sign out code to see how to get single sign out working across
multiple sessions. I am not sure if it would be an easy fix or not.
I will open up an issue on the Google Code site to record this as an
open issue.
per-application. This was done because Shibboleth releases different
attributes depending on the service. I would have to investigate the
single sign out code to see how to get single sign out working across
multiple sessions. I am not sure if it would be an easy fix or not.
I will open up an issue on the Google Code site to record this as an
open issue.
PradeepGM
Mar 23, 2011, 5:55:16 AM3/23/11
to casshib
Hi bkoehm,
Kindly let me know the release date for this modified version. We are
awaiting for the fixed new release.
Thanks
Pradeep
Kindly let me know the release date for this modified version. We are
awaiting for the fixed new release.
Thanks
Pradeep
Reply all
Reply to author
Forward
0 new messages