Chris,
I don't think mod_auth_cas supports the (experimental?) SLO feature of CAS.
However, if you just want users to be able to log out of your web app *and*
terminate their CAS session in the process, you can have Apache + a small
script help you out.
For example, at Lafayette, we are using mod_auth_cas in front of Internet2
Grouper. The Apache config (with all the non-essential bits removed) looks
like this:
<VirtualHost _default_:443>
#Custom logout script
<Directory /var/www/html/php/logout.php>
Order Allow,Deny
Allow from all
</Directory>
#Proxy settings
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass /php/logout.php !
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
# CAS-protect everything else.
<Location / >
CASScope /
Authtype CAS
require valid-user
</Location>
#Redirect the Grouper logout to our custom logout.
RewriteEngine on
RewriteRule ^/grouper/logout.do$ /php/logout.php [R]
</VirtualHost>
Grouper runs as a Java servlet, so Apache proxies the HTTP requests to a Tomcat
servlet container via AJP.
You can see a "Directory" resource that is a custom PHP script. It is not a
protected resource.
A "Location" stanza is set up to indicate that all other resources ought to be
CAS-protected.
The "RewriteRule" intercepts the Grouper logout URL and rewrites it the custom
logout script.
That PHP script is pretty simple:
<?php
setcookie("MOD_AUTH_CAS_S", "", time()-3600, "/");
header("Location: https://cas.lafayette.edu/cas/logout";); /* Redirect
browser */
exit();
?>
It tells the user's browser to delete the mod_auth_cas cookie and then
redirects the user's browser to the CAS logout URL.
Thanks,
Carl
----- Original Message -----
From: "Chris Cheltenham" <[email protected]>
To: "cas-user" <[email protected]>
Sent: Tuesday, October 13, 2015 1:28:00 PM
Subject: RE: [cas-user] mod_auth_cas
I see, thank you Carl.
I did not log out so the CAS session was still open.
I think that CAS has a 2 hour hard timeout as well.
7200 seconds.
This still leaves me with just the issue of this.
How to hook SLO to delete the CAS ticket and then prox back to the web server
and delete the temp file in mod_auth _cas?
-----Original Message-----
From: Waldbieser, Carl [mailto:[email protected]]
Sent: Tuesday, October 13, 2015 1:03 PM
To: [email protected]
Subject: Re: [cas-user] mod_auth_cas
Chris,
Are you sure you aren't re-authenticating? If you have a CAS SSO session that
lasts longer than the 5 minute session you set for mod_auth_cas, it will log
you right back in again without you having to enter any password.
To really test the expiration, you need to log into your webapp using CAS, then
in another tab, browse to your CAS server's /logout resource to end the SSO
session. Then after the mod_auth_cas session expires, you will see that you
need to re-authenticate.
Thanks,
Carl
----- Original Message -----
From: "Chris Cheltenham" <[email protected]>
To: "cas-user" <[email protected]>
Sent: Tuesday, October 13, 2015 12:40:14 PM
Subject: RE: [cas-user] mod_auth_cas
Carl,
When we log in an authenticate to CAS I have the following under temp area
/var/cache/mod_auth_cas
root@test-web:/var/cache/mod_auth_cas > ls -la total 36
drwx------ 2 apache apache 4096 Oct 13 12:36 .
drwxr-xr-x 14 root root 4096 Apr 16 19:22 ..
-rw------- 1 apache apache 262 Oct 13 12:36 6bbc774d3d53b030bf57040c1f698512
-rw------- 1 apache apache 32 Oct 13 12:36 .f3d79756914864ade3c7f6b8015e530a
-rw------- 1 apache apache 17 Oct 13 12:36 .metadata
root@test-web:/var/cache/mod_auth_cas >
I expect after 5 minutes that it forces me to re authenticate.
I expect after 10 minutes it does the same a deletes the file
6bbc774d3d53b030bf57040c1f698512 I expact the Cas clean interval to delete it
all withint 10 seconds of the session file expiring.
What I am getting is nothing expires and nothing times out ever unless I close
IE.
I hate IE but that what the customer uses.
Thanks
-----Original Message-----
From: Waldbieser, Carl [mailto:[email protected]]
Sent: Tuesday, October 13, 2015 12:36 PM
To: [email protected]
Subject: Re: [cas-user] mod_auth_cas
Chris,
Can you provide more detail? I.e. what is your expectation as to what is going
to happen, and what actually happens?
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "Chris Cheltenham" <[email protected]>
To: "cas-user" <[email protected]>
Sent: Tuesday, October 13, 2015 12:32:04 PM
Subject: [cas-user] mod_auth_cas
Hello,
In apache mod_auth_cas timeout parameters do not work.
Does anyone know why?
None of these work:
CASTimeout 600
CASIdleTimeout 300
CASCacheCleanInterval 10
Thank You;
Chris Cheltenham
[email protected]<mailto:[email protected]>
SwainTechs
10 Walnut Grove Rd
Suite 110
Horsham, PA
19044
888-905-5767 / X407
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives,
see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
