We wrote a "CASSingleSignOutRebroadcast" filter to solve this problem. It simply resends the logout request to all the other servers. We use a simple config file to keep a list of all the servers that are load balanced.
This seems to be working fine in our environment. Bryan -----Original Message----- From: David Wolowicz [mailto:[email protected]] Sent: Wednesday, February 23, 2011 6:31 PM To: [email protected] Subject: RE: [cas-user] Clustered CAS client logout request >which would be communicated via some means to other clients We are doing this now and it's a mess. I'd like to see the servers defined in the Service Manager. That way you would have a Service with it's URL, and then (n) servers with their direct URLs. Then on actions like logout the CAS server would send that action to every server. If the CAS server does not do it, you need to catch the event, then replicate it to the other servers. To do that you need to setup something to do the capture, and then something to do the mapping and replication. If it was all in CAS it would be significantly simpler. Right now, we are catching the logout with our load balancer, then re-routing it to a script that replicates it to the servers related to the service. If we could help in some way to get this feature in, please let me know. Thanks Dave Wolowicz Manager of Web Services University of Victoria Systems [email protected] | (250) 721-6117 ________________________________________ From: Marvin Addison [[email protected]] Sent: Wednesday, February 23, 2011 1:18 PM To: [email protected] Subject: Re: [cas-user] Clustered CAS client logout request > I'm wondering if any thought has been given to implement a mechanism for > clustered CAS client servers to each receive logout requests from the CAS > server? It's been discussed repeatedly and there's interest in the feature. Unfortunately, it's a difficult problem for which there is not a single solution that could be leveraged by all clients. > The ideal solution: > 1) domain.edu/app1** has been configured to send logout requests to > server1.domain.edu** and server2.domain.edu** > 2) User logs into domain.edu/app1 > 3) User logs out > 4) Logout request is sent to server1.domain.edu and server2.domain.edu This assumes that the load balanced clients are reachable by the CAS server over some network, which is not unreasonable but certainly not required by a load-balanced setup. What is more likely is some kind of authenticated state shared across all clients such that when one client receives the SAML LogoutReqeust message it can destroy the authenticated state, which would be communicated via some means to other clients. For example, if every client performs a state check on every request it would be recognized on the next request. Obviously such a solution would be client-specific with each client needing to develop its own shared state storage mechanisms. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
