...
The existing front-channel SLO feature in CAS4 is still experimental. Improvements could be made in terms of UI or client integration.
Rather than dancing with the client, we could directly call apps from the CAS logout page/flow to logout. This can securely done in parallel invocations (via hidden images, iframes, etc) and possibly may require the creation of a new field in the service registry for "logout urls". We would need a specific url for logout that would be used for front channel SLO, with logout message that is SAML-like, which is to include the service ticket. The message can be hashed and zipped and sent along as a GET request. This would allow the CAS server to present 3 SLO options:
- Back channel
- front-channel with specific logout URL; also useful in cases where the app does not have proper client support for SLO
- front-channel with no logout URL; in this case we simply call the service url as before which is useful for cases where there is no specific url for logging out on the app side.
...