Hi, The way cas Singlesignout is designed with SAML request being built is not working for us in our Production environment. I am sure some of you might be working in the same server architecture as I am explaining below.
We have 2 we applications on top of them I am implementing CAS as sso solution. first web application (I will call it APP1) runs on Websphere and second one (APP2) runs on tomcat. APP1 has 4 websphere application servers of their kind and there is a load balancer running on the to of them APP2 has 4 tomcats running and load balancer is used on top of these again. Each of these two sets(of 4) application servers are behind the firewall and are not exposed to internet. The communication into these app servers comes from Web servers which are on the outside of firewall. url for APP1 looks like https://mydomain.com/app1/start/something url for APP2 looks like https://mydomain.com/app2/start/someelse url for SSO application looks like https://mydomain.com/sso/login when user clicks on the app1 url, it redirects back to SSO as https://mydomain.com/sso/login?service=https://mydomain.com/app1/start/something And SSO accepts user credentials and creates an TGT and ST. And then, it loads TicketGrantingTicket.services() list with this newly created service with originalUrl = https://mydomain.com/app1/start/something user accesses APP2 in the same session does single-sign-on and creates another ST under same TGT TicketGrantingTicket.services() list now contains two entries service1 with originalUrl=https://mydomain.com/app1/start/something service2 with originalUrl=https://mydomain.com/app2/start/someelse Now user clicks logout on app2 which goes to https://mydomain.com/sso/logout and then finally the "service.logoutofservice() method gets called. Inside this method, it uses the original URL to make a SAML request. This is where my infrastructure is failing. Our web server and app server layers are seperated by a firewall. (Which is quite common in many organizations) App server can not make a call back to the web server. So the SAML request fails to make it to the target applications. Even if we make a redirecting forum on app server layer, the question comes with how many of the app server instances are running for each app and how to broadcast the message to all the nodes in each cluster. I am just hoping I am missing some configuration which will fix this issue in less intrusively. I appreciate any responses on this. Thanks Madhavi -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
