I'm trying to understand the single sign out protocol. I have two webapps, webapp1 and webapp2. Both have single sign out filter (in first place) and single sign out session listener. Also, webapp1 generates PTs to access webapp2, and webapp2 generates PTs to access webapp1. Both also have renew parameter in true.
The first scenario that I tried was the following. I entered webapp1, and it redirected me to login page. After that, I authenticated myself, and I arrived authenticated to webapp1. After that, I pressed logout, and it points to a jsp that redirects it to /cas/logout/service=webapp1. The client logs are the following: 319055 [http-8443-Processor3] TRACE org.jasig.cas.client.session.SingleSignOutFilter - Ignoring URI /webapp1/logout.jsp 319242 [http-8443-Processor3] TRACE org.jasig.cas.client.session.SingleSignOutFilter - Ignoring URI /webapp1/ 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter 319242 [http-8443-Processor2] TRACE org.jasig.cas.client.session.SingleSignOutHandler - Logout request: <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-3-aoIGMtj1yMi6idfRHAzoGdJTcRw9g0nicOF" Version="2.0" IssueInstant="2011-06-07T17:50:01Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID><samlp:SessionIndex>ST-5-or3nPL4jYcVeuFrD9EsX-cas</samlp:SessionIndex></samlp:LogoutRequest> 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.session.HashMapBackedSessionMappingStorage - Attempting to remove Session=[A50FA1144D61B20B840414E94F561D60] 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.session.HashMapBackedSessionMappingStorage - Found mapping for session. Session Removed. 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.session.SingleSignOutHandler - Invalidating session [A50FA1144D61B20B840414E94F561D60] for token [ST-5-or3nPL4jYcVeuFrD9EsX-cas] 319242 [http-8443-Processor2] DEBUG org.jasig.cas.client.session.HashMapBackedSessionMappingStorage - Attempting to remove Session=[A50FA1144D61B20B840414E94F561D60] 319258 [http-8443-Processor2] DEBUG org.jasig.cas.client.session.HashMapBackedSessionMappingStorage - No mapping for session found. Ignoring. The logout was succesful, and the session was invalidated, but I still in the same page. I think it was because single sign out filter cuts the filter chain when it detects a logout request. Why does it cut the chain? If a put a session.invalidate() in my logout page (before the redirect to /cas/logout), I arrived to the cliente application login page (that's the behavior that I want), but I want to know if it is a good practice (the logout request attempt to invalidate the session, but doesn't find it because I've already invalidated it). The second scenario that I tried was accesing webapp1 through a succesful login, and then, access webapp2 through a proxy ticket generated in webapp1. After that, I did a logout in webapp1, and it didn't send a logout request to webapp2. The single sign out doesn't work for applications that I accesed through a proxy ticket? And a general doubt. The single sign out applies to all the applications that I entered that share the same TGT, is it right? I tried to open two IE (I'm a not a fan of it!!!), and it didn't send the logout request to the second webapp. Thanks in advance! -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
