Provide a front-channel (i.e. browser mediated) mechanism for single sign-out. The feature presents arguably the simplest solution for the oft-requested feature for single sign-out in clustered client applications. The following proposal describes one implementation based on the SAML 1.1 Single Log Out Profile over the HTTP Redirect Binding:
Implementing front SLO (in addition to back SLO) is pretty complex and has big impacts on the source code. So I propose to do it in two pull requests :
- the first one to change the cas-server-core to make it able to handle front SLO and still performs the back SLO
- the second one to change the cas-server-webapp to really perform front SLO in addition to back SLO.