> What are the extra steps one would take to make sure single sign out work on > a load balanced service?
We clearly need a page on the wiki about this since it keeps coming up. For the following discussion I will assume that the CAS server has no knowledge of the actual node that is servicing a user's requests. I'll also assume that it's clear why load balancing is a problem to single sign-out. (You clearly understand this.) There are two solutions available, which I will list in order of increasing effort: 1. Implement shared session storage on your servlet container. That way it doesn't matter which node gets the single sign-out request; the dead session will propagate to all other nodes in the cluster. See http://tomcat.apache.org/tomcat-5.5-doc/cluster-howto.html for a solution on Tomcat. 2. Modify the CAS client so it knows about its peers and can rebroadcast the sign-out message to all other nodes. Breaking the initial assumption that the individual cluster nodes are not addressable is another potential solution. For example, if your LB simply routes to a real node via HTTP redirects, the real address of the servicing node would be known and CAS would call it directly at sign-out time. Round robin DNS is another way to implement this setup, although I would strongly discourage it for a HA setup. Please feel free to bug me about putting this discussion prominently on the CASC wiki somewhere. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
