Bruno, The whole concept and policies related to SSOut is definitely bigger than the someone's knee jerk reactions make it out to be. If Single Sign On meant that you only login once and you can access any application configured to use that SSO service, then it makes sense that SSOut would completely log you out of all of those applications. It has been a while since I researched the other SSO solutions (Shibboleth, A-Slect, Pubcookie, Cosign, etc), but I am sure this is the standard behavior for all of them.
Take Google for instance. If you sign into your Gmail account, you seamlessly transition into your Google Maps, Google Documents, etc. SSO makes a lot of sense for those of use who deploy application portals for our organizations as our users have a mindset that they are leaving this entire portfolio of applications whenever they log out. Because of this behavior, most deployers start asking larger policy questions such as: 1. Which applications do we want to participate in SSO? 2. Are these applications considered a suite such you expect to use all of them or none of them? 3. Do we want to allow 3rd party applications to use SSO? Can we enforce SSO policies on these applications? As for CAS SSOut support, it has been out for nearly a year, and I cannot see how it is immature. If this is based upon the fact that individual application logout is not supported, then I would argue that doesn't make sense because it goes against the nature of SSO. Hope that helps, A- On 2/18/09 9:22 AM, "Bruno Melloni" <[email protected]> wrote: > Thank you, Marvin. That just gave me the information I was missing and made me > realize that I was on a wild goose chase. Let me mention what I've learned so > far about Single Sign Out, from previous emails and all of my research. I > think it clarifies a lot of misconceptions, and gave me the key clue to the > answer to logging out with Spring Security: > > - Single Sign Out within CAS is fairly young. It has not evolved yet to full > maturity, and further improvements are likely in the future. > > - Support for Single Sign Out when using Spring Security on the client app is > even younger (if supported - I'm not quite sure). > > - There is no ability in CAS to logout from a single application (invalidate > just the one ticket). If https:/.../cas/logout is called, it will logout from > all applications (expiring all tickets). The intuitive logout form that can > sometimes be seen when googling > (https:/.../cas/logout?service=https/.../myapp) is not a way to logout from a > single app. > > - There is no ability in CAS to specify which URL to call when an app is being > logged out. Only the original URL that caused the login will be called. > Unfortunately, this means that if one user enters an app at page > http/.../clientApp/page1.html and another at http/.../clientApp/page2.html, > when each user logs out CAS will call page1 or page2, and it would be hard to > code some kind of logout intercept at that point since it does not happen > always at the same page. > > - If the client is using Spring Security as its interface to CAS, it is > possible to specify a callback URL that triggers a Spring Security logout (not > of CAS). This is by default /j_spring_security_logout. In the same tag, it > is possible to specify a Spring Security logout success URL, and... it can be > https:/.../cas/logout, thus causing a logout of both Spring Security and CAS! > > Solution (for clients that use Spring Security to access CAS): > ============================================================= > > 1) Do not bother with the CAS Single Sign Out filter. > > 2) Define a <security-logout/> tag that specifies the logout-success-url to be > the CAS logout URL. Example: > > <security:http entry-point-ref="casProcessingFilterEntryPoint"> > <security:intercept-url pattern="/secure/**" access="ROLE_USER " /> > <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" > /> > <security:anonymous/> > <security:logout logout-success-url="https://LCEIT1664:8443/cas/logout"/> > </security:http> > > 3) The above is not perfect. It will only logout from Spring Security when > the application is logged out from -that- application. A CAS logout from > another application will not guarantee that the application gets logged out > from Spring Security. But then, neither does the web.xml-based Single Signout > procedure. > > > It might be a good idea to add this Spring Security Single Sign Out procedure > to the documentation. > > Recommendations for future CAS Single Sign Out enhancements: > =========================================================== > > These are not critical, but would make CAS better. > > - Add a client configuration parameter to the CAS client that allows > specifying the client logout URL (and of course the supporting server code to > record it at login and call it at logout). This will allow 'guaranteed' > single sign out at the client. > > - In addition to the current global logout in CAS (logs out from all > applications), implement the ability to pass a service URL as a parameter to > cas/logout. When used, it would logout only from that application / expire > its ticket without logging out all of the other applications for the user. > Note that a user could have logged in from a page deeper in the tree (i.e.: > https:/.../clientApp/folder1/folder2/page.html) than the root service URL > (i.e.: https:/.../clientApp). Therefore if a service URL is passed, CAS would > need to expire all tickets that 'start' with it. > > I hope that helps, and that it reaches the right people in the CAS > documentation and development teams. > > b. > > -----Original Message----- > From: Marvin Addison [mailto:[email protected]] > Sent: Wednesday, February 18, 2009 8:16 AM > To: [email protected] > Subject: Re: [cas-user] Spring Security & CAS logout > >> Is there any other place where I need to specify URL so that CAS knows to >> call it? > > The URL that CAS calls is not configurable. It simply replays the > referring URL of the service that contacted CAS for a service ticket. > So if you enter your application through > https://yourhost/myApp/app/home.jsp, it will attempt to contact that > _exact_ URL at logout time. You should configure the scope of > SingleSignOutFilter accordingly. Also, as I believe is mentioned in > the Wiki document, that filter must be defined before all other CAS > filters. > > You can confirm SingleSignOutFilter/SingleSignOutHttpSessionListener > received the CAS logout request by looking for the following in your > application logs, assuming you have org.jasig.cas set to DEBUG or > lower: > > 2008-12-04 16:05:07,610 DEBUG > [org.jasig.cas.client.session.SingleSignOutHttpSessionListener] > Removing HttpSession: QXdhBMmvsm+0FuvJJ4p23A** > > Hope that helps, > Marvin Addison > Middleware Services > Virginia Tech -- Andrew Feller, Analyst LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
