> So I think we should keep the SAML logout request "as is" (custom code in the > core). I consider the SAML logout request more as a logout request in XML > format than a real implementation of the SAML protocol.
+1 > So I implement a custom front-channel SLO. Each CAS service can be configured > with a logout url, which will be called from a hidden image in the CAS logout > page. I believe this implementation is fairly common; perhaps some slight variances. We did this ourselves for many years, and it was successful in general, but the hassle was keeping up with service registration for _every_ service that used CAS. We were serious then, and remain so, that every service be capable of participating in single sign out. I am personally quite happy to leverage wildcards to let everyone in with a limited set of attribute release, then have a handful of special cases. Here's another solution I sketched out a while back but never pushed; now seems like a good time to share: https://wiki.jasig.org/display/CAS/Proposal%3A+Front-Channel+Single+Sign-Out M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
