>> CAS 3 does not currently support single sign out. CAS 3.1 will >> support single sign out. Though, I'm not sure if we would support >> the scenario where logging out of one particular application logged >> you out of everything (or even notified other applications). >> >> Our initial scenario would probably be if your CAS session timed out >> or you explicitly logged out of CAS it would notify all applications >> from that CAS session. >> >> But again, we haven't finalized everything yet so we are interested >> in feedback. > I am curious about you're think about how this would be implemented. > The suggestion that CAS could send a message to a message queue would > seem to work, but every application that wanted to participate in > single signout would have to implement a message queue listener. I've > played around a bit with Apache ActiveMQ and that would seem to work. > > I suppose another option would be to provide a "signout action url" > that would get registered in CAS when an application calls the CAS > login action. Small issue with 'logout urls' may be with cluster of servers and load balancer like:
https://myapp.com/app is balanced between: https://server1:8080/app https://server2:8080/app https://server3:8080/app Each underlying server may have it's own session etc. 'service' parameter sent to CAS is in this case https://myapp.com/app Typically load balancer should redirect all requests from the same browser to the same host. This means logout should possibly be done from the user browser or CAS should have a collection of logout urls for 'service'. -- Maciej Wisniowski _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
