Currently CAS does not support single sign out. Its on the list for the 3.1 release (though there is no timeline, as we're still focused on the 3.0.x branch).
There has been some discussion on-list about using the ProxyGrantingTicket in combination with requesting a proxy ticket to determine if a user is still logged in. Its not a cheap operation and generates a lot of unnecessary tickets. Its essentially the equivalent of pinging CAS every so often if a user still exists. -Scott Jennifer Yang wrote: > Another followup question. > > So if we have multiple apps linked with CAS SSO, cas/logout kills > single sign on session. However, how can I kill all the apps already > signed in previously with CAS before the logout? If CAS can determine > if a single sign on session is valid or not, can't our app query CAS? > But this seems expensive that the app needs to query CAS for each > access... Any suggestion as to how to implement single sign OFF? > > Thanks, > Jennifer > > > On 7/26/06, *Jennifer Yang* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > I must have used http. I thought I tried https. :-) > It works with https. Thank you!! > > Out of curiousity, how does CAS validate multiple apps? > Initially, I thought it validated the ticket issued at initial > sign on, but looking at the log, it seems to issue different > ticket for each app. > > Another question. Is there any way to run CAS in non-SSL mode? > > Thanks, > --Jennifer > > > On 7/26/06, *Scott Battaglia* < [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Logging out of CAS is designed to kill your single sign on > session (not > your individual application sessions) so that if you try and > access > another CASified application (that you haven't logged into > yet) you will > be prompted for your credentials again. > > CAS uses secure cookies however, so if you access the Logout > page via > http instead of https your cookie will not be destroyed as it > was never > sent to the server. > > -Scott > > > Kris Melotte wrote: > > Is there a difference regarding logout when you are using > http versus > > https? > > > > I thought that the fact you can still login after the logout > to an > > (authenticated) application is because the JA-SIG client does > not check > > anymore with the CAS server after validation of the initial > ticket. > > > > As the authentication information is already in the session > of the SSO > > authenticated application, the filter will pass you through > without > > checking again with the CAS server if the SSO is still valid. > > > > I thought that this behavior was the reason why the cas > logout page > > mentions to "exit your browser for security reasons"? > > > > Regards, > > Kris > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > > [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>] On Behalf Of Scott > Battaglia > > Sent: Wednesday, July 26, 2006 2:16 PM > > To: Mailing list for CAS developers > > Subject: Re: [cas-dev] CAS logout > > > > Jennifer, > > > > Did you access the logout page via http or https? > > > > -Scott > > > > Jennifer Yang wrote: > > > > > >> Hello, > >> > >> I am trying to implement logout. > >> > >> I found the following thread, but I am not seeing the same > behavior. > >> http://tp.its.yale.edu/pipermail/cas/2005-February/001010.html > >> > >> According to this, hitting /cas/logout should prevent the > previously > >> authenticated user from accessing another webapp without > signing on > >> again. Here is what I tried and the behavior. > >> > >> I have two webapps (using jsp-examples and servlet-examples > supplied > >> by Tomcat) both setup to use CASFilter. > >> > >> 1. I enter one of the jsp-examples url in the browser. > >> 2. I get JA-SIG login page and I log in successfully. > >> 3. I get redirected to the jsp-examples I was trying access > in step 1. > >> 4. I logoff via /cas/logout and get a JA-SIG "successfully > logged > >> > > off". > > > >> 5. I enter one of the servlet-examples (a different webapp > from step > >> 1). I expected to get another JA-SIG login page, but I get my > >> servlet-examples without being re-authenticated. > >> > >> Am I missing something? > >> > >> Also, what is the best way to implement single-sign-out? > >> > >> Thanks very much! > >> --Jennifer > >> > >> > > ----------------------------------------------------------------------- > >> > > - > > > >> _______________________________________________ > >> cas-dev mailing list > >> [email protected] <mailto:[email protected]> > >> http://tp.its.yale.edu/mailman/listinfo/cas-dev > >> > >> > >> > > _______________________________________________ > > cas-dev mailing list > > [email protected] <mailto:[email protected]> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev > > > > > > _______________________________________________ > > cas-dev mailing list > > [email protected] <mailto:[email protected]> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev > <http://tp.its.yale.edu/mailman/listinfo/cas-dev> > > > _______________________________________________ > cas-dev mailing list > [email protected] <mailto:[email protected]> > http://tp.its.yale.edu/mailman/listinfo/cas-dev > <http://tp.its.yale.edu/mailman/listinfo/cas-dev> > > > > ------------------------------------------------------------------------ > > _______________________________________________ > cas-dev mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
