> I'm using serverName in my filter and the issue I have is that most of my > servers are load balanced (using BigIp) so the server name must be a dns name > instead of the servername.... So my question is how does that jive with the > Single Sign Out functionallity?
There are a number of known issues with clustered CAS services and single sign-out. The CAS filter constructs a service URL using the serverName init-param and CAS simply sends a SAML LogoutRequest message to that exact URL when the SSO session ends. Because the sign-out message is sourced differently than the user's browser, sticky sessions will not help in routing the sign-out request to the same node holding the user's session. Routing to the session-holding node is an essential requirement for effective single sign-out. If this is a Java Web application, probably the best solution is to set up replicated session storage such that all nodes in the cluster share session state. There are other solutions that would involve extending the CAS client to know about cluster peers such that any node that received the sign-out request could replay it to the others. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
