Single Sign Out on clustered clients

Scott Battaglia scott.battaglia at gmail.com
Sun Oct 7 23:37:26 EDT 2007 

Lucas,

I'm currently working on updating the CAS Client for Java (I've actually got
code, I just need to clean it up a little bit and document some of it).

Single Sign Out in a clustered environment is an interesting problem.  CAS
chose to contact the service via some backend mechanism so as to not rely on
the browser (and be flexible enough to support the Single Sign Out over
other protocols).  However, that means that we cannot rely on the
traditional methods that are used to detect which server a request should be
redirected to.  Without access to that additional information, the only
possible solution is that the applications are aware of all sessions (or
that the the host information is somehow encoded into the service URL,
though I'm not sure that is possible).

-Scott

On 10/5/07, Lucas Rockwell <lucasrockwell at berkeley.edu> wrote:
>
> Hi all,
> We are currently running into Nicholas' issue as well. I see that a few
> people have asked if the Java client has be updated to support single
> sign-out, and someone else asked if any of the clients have been upgraded.
> My guess is none have been updated to support this feature, yet...
>
> It seems to me that Nicholas has a very valid concern.
>
> With our Rails apps (or any app that is clustered and uses a database) I
> figure the only way to do this would be to put the Service Ticket and the
> user's local session ID in a db, and then when CAS hands back the Service
> Ticket ID for logout, the app would have to look it up in the db, and then
> kill the session that is associated with the ticket. I think this is what
> Scott alludes to on the Single Sign Out wiki page.
>
> Have others though about how this might work in an HA (clustered client
> applications) environment?
>
> Thanks.
>
> -lucas
>
> On Aug 29, 2007, at 7:49 AM, Rémond Nicolas wrote:
>
> Hi,
>
> After studying the SignSign Out procedure, we are affraid that it won't
> work on a clustered client environment (with no session replication).
>
> If we understood well, the server stores the 'services' list at the ticket
> validation and uses this list to call the 'logout' on the services.
> The problem is that a single service may be provided by two different
> servers in cluster. The logout call will end-up randomly in any server of
> the cluster.
>
> Our load balancer (as most load balancers do) uses a session cookie suffix
> to always send the end-user requests to the same server of the cluster. The
> problem is that logout request of the cas-server won't have this cookie so
> this will fail in some cases.
>
> Is this right ?
>
> A solution would be that a the 'validateTicket' request also contains the
> service "internal server name", so that the logout request can go directly
> to the proper client server node, without going through the load balancer. This
> is a very important feature for us and we are ready to help.
>
> Thanks,
>
> Nicolas Remond
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>


-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071007/dd1396fd/attachment.html

More information about the cas mailing list