I need to correct the claims in my previous message. I thought we'd confirmed this working, but was mistaken.
> We have done this. And it doesn't work. > We have hardware load balancers for our > implementation, but it was as simple as enabling session replication > in our servlet container (JBoss 5.1). When any node received the SAML > logout request, it propagated the dead session to the other nodes. Nope. Doesn't work. The CAS Assertion that tracks authenticated state is replicated, sure enough. But the mapping of ticket to Assertion is _not_ replicated. The default implementation is a static HashMap, which obviously only exists on the node to which the client was bound. If the SAML LogoutRequest hits the other node, it simply ignores it because it can't find the Session matching the given service ticket. Clearly an alternate SessionStorage implementation is needed to handle this case; for example, one that uses JBossCache. I apologize for jumping the gun on this; I simply miscommunicated with the other folks working on confirming clustered single sign-out. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
