Thanks Ray, that makes sense. For a single provider, increasing the TST lifetime to match provider's session length seems like a possible solution.
On Tuesday, April 12, 2022 at 11:55:29 AM UTC-4 Ray Bon wrote: > Anitha, > > What you are asking is in the realm of single logout. Single logout is > messy business. It will never work the way you, or anyone else, thinks it > will. > > My only hint would be to set the TST life time to the same as, or just > longer, than OP session length. This will make the cas session, in general, > longer. > It will of course get more complicated if you add more providers or other > sources of authentication. > Something else to think about is how this change will affect other > applications you support. > > Ray > > > On Mon, 2022-04-11 at 14:39 -0700, Anitha C wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > > We have CAS v6.5.0 deployed to do delegated authentication to a generic > OIDC provider. > > The configuration also includes the logout URL to the OIDC provider, so > that the user is logged out of the OIDC provider on logging out of the > application and CAS. > > On successful authentication, the PAC4j user profile is saved along with > the TST ticket in the ticket registry. So, when the user logs out, the user > profile tied to the TST ticket is retrieved and the OIDC logout occurs. > > However, if the TST expires before the user logs out, there is no user > profile found for the session, and so OIDC logout never happens in that > case. > > What is the ideal/recommended timeout value for a transient session ticket > in a CAS server that is configured to do delegated authentication? > > Are there any other configurations to store/retrieve the OIDC user profile > besides in TST? > > Appreciate any suggestions on handling this use case. > > Thanks. > > > > > > > -- > > Ray Bon > Programmer Analyst > Development Services, University Systems > 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] > > I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional > territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ > peoples whose historical relationships with the land continue to this day. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6b468cf-cc21-44a8-89af-7f3d639fbee3n%40apereo.org.
