We want our CAS clients to be able to notify the CAS server about session
termination even if the logout is not triggered by the user with his
browser. As the user agent is not involved, this would necessitate sending
a logout notification / request from the client application to the CAS
server (server-to-server, so no browser involved). SAML supports this
usecase by sending the common session identifier ("SessionIndex") with this
notification, so the server can terminate the corresponding session on its
side.A potential mechanism would not have access to the TGC which is known to the user agent only, but it would seem feasible by using the initial ServiceTicket that the client app received as the common identifier. Now I do not find any mechanism like this documented either as per the standard server implementation or as an extension. Has anyone done something like this, or are there issues with such an approach that I do not see yet? I imagine one stumbling block might be that we'd need a ticket registry that is capable of identifying session by ST? I'd be very grateful for any thoughts, hints, experiences with this use case. Kind Regards, Andreas -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
