Bobby, Single logout is a messy business anytime. If you force users to be logged out of their applications when the CAS session ends, you risk terminating a session which an application considers valid (i.e. service has a longer session than CAS).
If you have control over all services supported by CAS, you could make their sessions shorter than the CAS session (but that does not help if the user logs in shortly before the CAS session expires). How do you alert the user that their session is expired? Would a background logout conflict with an applications management of a user's experience/data? Ray On Mon, 2019-07-08 at 16:59 -0700, Bobby Esfandiari wrote: @Misagh Moayyed Thank you very much for your assistance. I was able to follow QueryDatabaseAuthenticationHandler as a template, extending AbstractJdbcUsernamePasswordAuthenticationHandler, and adding my custom logic to it. I do have a follow up question though that I haven't been able to figure out by reading the documentation. Is there any way that I can manually expire TGTs for users that are expired based on the user expiry date/time? It's my understanding that CAS will automatically send out logout messages to registered services after a user manually logs out. I can handle these messages in those services, but I'm not sure how to initiate the process manually for an expired user. Ideally I'd be able to inject some logic (similar to the custom handler) that would monitor the user table and start the SLO process by expiring the TGTs for any users whose expiry date < current time. I just have no idea if such a component exists in CAS and the ticket expiry docs don't seem to indicate any way of overriding their functionality. Thanks again! PS For anyone that might have the same issue in the future, I also had to add the following properties. This was needed to stop CAS from continuing to process other handlers and generate a TGT, even though my custom handler identified the user as expired and threw an error: cas.authn.policy.requiredHandlerAuthenticationPolicyEnabled=true cas.authn.policy.req.tryAll=false cas.authn.policy.req.handlerName=MyAuthenticationHandler cas.authn.policy.req.enabled=true -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b5fc0425d22e77f873d58e95f354ed0c273a47d7.camel%40uvic.ca.
