> I am currently implementing single sign out and I noticed that phpCas > filters sign out requests by allowed hosts. Is this also implemented > the filter version for java?
No. IIRC from the phpCAS source, the intention is to prevent spoofed sign out requests from rogue sources. The Java client assumes that the service ticket is known only to the CAS server, and the ticket delivered in the SAML LogoutRequest must match the one stored in session data by the client. Since that check would pass by a message sent from the CAS server, source IP restrictions aren't needed. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
