Jon, Merely changing a logout link in the UI to point to the CAS server logout URL is, as you've discovered, insufficient where CAS's single logout callbacks aren't implemented.
Rather, a Zimbra logout link should address a Zimbra server endpoint which terminates the application-local session. And then it should do something else, such as 1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and have CAS display its SSO session ended message, or 2) Display a page explaining to the user that the Zimbra-local session has been terminated but that the single sign-on session continues, and inviting the user to click a link to also log out of CAS Either of these options could be implemented in a trivial JSP. Which of those options to pick depends mostly on what user expectations you've set, by the presentation of the logout link in the UI (was it "log out of Zimbra" or was it "log out of CAS"?) and by the way other logout links work in applications in your environment. Kind regards, Andrew On Jan 3, 2012, at 11:14 AM, Jon Detert wrote: > I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these > directions: > > https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0 > > Authentication and 'single sign-on' works great. > > However, zimbra users can not logout of zimbra the 'normal' way: > > 0) the zimbra web app has a 'Logout' link. The CASificiation procedure has > you redefine the URL for that link to https://yourCasServerFQDN/cas/logout > > 1) when a user clicks the zimbra 'Logout' link, they are taken to the correct > CAS logout URL > > 2) if the user then returns to zimbra, they are allowed in without > re-authentication. > > I.e. the zimbra webapp's logout link doesn't really work. To really log out, > the user must either: > a) close the web browser entirely (meaning all windows and/or tabs), or > b) clear the browser's history,cache,and credentials, or > c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies > > The CAS client I'm using with Zimbra is version 3.1.8. > > Any idea how I can make it possible for a zimbra user to logout by clicking a > link? > > Thanks, > > Jon > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
