Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Front Channel SLO

Description

Provide a front-channel (i.e. browser mediated) mechanism for single sign-out. The feature presents arguably the simplest solution for the oft-requested feature for single sign-out in clustered client applications. The following proposal describes one implementation based on the SAML 1.1 Single Log Out Profile over the HTTP Redirect Binding:

https://wiki.jasig.org/display/CAS/Proposal%3A+Front-Channel+Single+Sign-Out

Implementing front SLO (in addition to back SLO) is pretty complex and has big impacts on the source code. So I propose to do it in two pull requests :

  • the first one to change the cas-server-core to make it able to handle front SLO and still performs the back SLO

  • the second one to change the cas-server-webapp to really perform front SLO in addition to back SLO.

Environment

None

Activity

Show:

Alberto MozzoneApril 12, 2017 at 1:29 PM

Hi,
I know this is an old feature, but I was trying CAS 5.0.4 which hasn't this feature yet.
I'd want to share my opinion about this, because the support for clustered applications is very important to me.

To me, if the FRONT_CHANNEL thing were to be implemented as described in https://wiki.jasig.org/display/CAS/Proposal%3A+Front-Channel+Single+Sign-Out it wouldn't be a good idea, because it relies on the client only to spread the logout across each and every application that the user accessed (if a user closes the browser before that the SLO ends, the user is stil authenticated in the applications which didn't receive the redirect).

I'd rather suggest an alternative solution: the CAS Server, in the Service Management tool, should allow a service to have multiple backend urls to which the SAML logout message would be sent. This way, CAS could send the logout message to every instance of the same application ensuring that the user, regardless of which application s/he accessed, is always logged out properly.
An alternative is that the CAS Client could be the owner of the backend urls of the application in which is present and it is responsible to spread the logout message to them.

Waiting for your opinions...

Thanks!

Jérôme LELEUMay 30, 2013 at 8:46 AM

Marvin AddisonMay 9, 2013 at 8:58 PM

Feeling very good about these changes. I think we're on the right track – excellent work!

Jérôme LELEUMay 9, 2013 at 8:47 AM

First pull request to change cas-server-core : https://github.com/Jasig/cas/pull/248

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Priority

Created April 8, 2013 at 3:21 PM
Updated April 12, 2017 at 1:29 PM
Resolved June 4, 2013 at 1:06 PM