I'm not sure what you mean by the logoutUrl "supporting" SLO. If you mean
will SLO suddenly start working just because you put a value in that
property, then the answer is no.

The logoutUrl property is exactly what the documentation says it is -- a
way to let an application receive a logout request from the CAS server when
the application is using a CAS client that doesn't implement logout
requests itself (in this case, mod_auth_cas). It's completely up to you to
actually implement the logout process.

So, since "logging out" of mod_auth_cas involves manually deleting the
"MOD_AUTH_CAS_S" cookie from the browser, then I would suppose you could
make your logoutUrl point to "https://your.web.server/logout.html"; or
something, and make logout.html contain some JavaScript to delete the
cookie:

<html>
<head></head>
<body>
  <script>document.cookie = 'MOD_AUTH_CAS_S=; expires=Thu, 01 Jan 1970
00:00:01 GMT;';</script>
  <p>Goodbye!</p>
</body>
</html>


Note that the cookie is set relative to the path you secured with
mod_auth_cas, so you should put the logout.html file in the same directory
that you put your protected content in. This means that if you have
multiple directories protected by mod_auth_cas on the same server, you'll
need to put a logout.html into each one of them (or make the JavaScript
smarter than what's shown above).

Note that mod_auth_cas itself DOES NOT know anything about the logoutUrl.
This is basically a hack to get around the fact that mod_auth_cas does not
implement logout.

--Dave

P.S. - I have not tried any of the above, so you may need to play with it a
bit to get it to work.



--

DAVID A. CURRY, CISSP
*DIRECTOR OF INFORMATION SECURITY*
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.cu...@newschool.edu

[image: The New School]


On Thu, May 24, 2018 at 9:45 AM Ramakrishna G <r...@tts.in> wrote:

> Hey David,
>
> Firstly thanks for your response and clarifying few things. My query to
> you now is
>
> Does logoutUrl property support SLO? If so, which all cookie should I be
> deleting?
>
>
>
> On Thu, May 24, 2018 at 6:17 PM, David Curry <david.cu...@newschool.edu>
> wrote:
>
>> What do you mean when you say you are "using mod_auth_cas for reverse
>> proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply
>> a way to control access to content on an Apache web server using CAS
>> authentication. Think of it as an alternative to HTTP Basic Authentication.
>> It seems like this was explained  in an earlier thread; if you want to
>> spread the load across multiple CAS servers, you should just stick a load
>> balancer (NGINX, F5, etc.) in front of them. See, for example, the picture
>> here
>> https://apereo.github.io/cas/development/planning/High-Availability-Guide.html
>> .
>>
>> As for logging out, mod_auth_cas does not support SLO. This is documented
>> in the README file under "Known Limitations". If you really want to
>> implement logout with mod_auth_cas, you would somehow have to arrange for
>> the logout process (which mod_auth_cas is completely unaware of, since it
>> doesn't have its own "logout" link and it doesn't support SLO) to delete
>> the "MOD_AUTH_CAS_S" cookie from the user's browser. You MIGHT be able to
>> make use of the "logoutUrl" property in the service registry (
>> https://apereo.github.io/cas/development/installation/Logout-Single-Signout.html#service-endpoint-for-logout-requests)
>> to accomplish this, with the page that URL points do taking care of
>> deleting the cookie.
>>
>>
>>
>> --
>>
>> DAVID A. CURRY, CISSP
>> *DIRECTOR OF INFORMATION SECURITY*
>> INFORMATION TECHNOLOGY
>>
>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
>> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g>
>> +1 212 229-5300 x4728 • david.cu...@newschool.edu
>>
>> [image: The New School]
>>
>>
>> On Thu, May 24, 2018 at 2:13 AM Ramakrishna G <r...@tts.in> wrote:
>>
>>> Hello,
>>>
>>> I am using Mod_auth_cas for reverse proxy to my cas server. How do I
>>> achive slo and sso using mod_auth_cas? Also when I logout I am still able
>>> to access my application without authentication. Is this the way
>>> mod_auth_cas works?
>>>
>>> Thanks
>>> Ramakrishna G
>>>
>>> --
>>> - Website: https://apereo.github.io/cas
>>> - Gitter Chatroom: https://gitter.im/apereo/cas
>>> - List Guidelines: https://goo.gl/1VRrw7
>>> - Contributions: https://goo.gl/mh7qDG
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "CAS Community" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to cas-user+unsubscr...@apereo.org.
>>> To view this discussion on the web visit
>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com
>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9pD%3DC4t-THA6gX-V2Uh7yB8brVG0tk1sNYk0iZ-7nGtQ%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9pD%3DC4t-THA6gX-V2Uh7yB8brVG0tk1sNYk0iZ-7nGtQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMOJJ8GQV7YaAuKnm4xN%3DWXZ5i%2BuOQXaw48USuVR5MTYA%40mail.gmail.com.

Reply via email to