The crux of the problem is that the CAS server itself is making back-channel connections to send the sign out request to client applications, so there is no possible way for the load balancer to correlate user requests with those made by the CAS server. It's hard to imagine any solution other than requiring load balanced client applications to share/replicate session state. This is a tough requirement to impose on client applications, and it indeed surprised us as well.
Regards, Marvin Addison Middleware Services Virginia Tech On Fri, Jan 9, 2009 at 4:55 AM, Roelof Jan Koekoek <[email protected]> wrote: > Hi, > > I was looking into the single sign-out feature of the latest CAS > client. Our SSO clients are being load-balanced transparently under a > single domain. Currently the load-balancer provides sticky sessions. > Therefor we don't use session replication over client servers. In a > single sign-out scenario the SSO server has no idea which of the > client servers provided the client service to a user. Ticket > validation appears to be bound to the public outer domain of the > services. Is there a known solution to this problem, or do you have > any ideas how to get this to work? > > Best Regards, Roelof Jan > _______________________________________________ > cas-dev mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas-dev > _______________________________________________ cas-dev mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas-dev
