Seeking clarification on application/CAS logout behavior

James Stoll jstoll at vbi.vt.edu
Sun Dec 14 15:58:07 EST 2008 

I'm relatively new to CAS, so please forgive me if this is common 
knowledge - I've searched, but not found any real clear direction.

We are using CAS with multiple CAS-integrated applications. I recognize 
that CAS is currently a single-sign-on system, but not technically a 
single-sign-out system. Currently, when a user logs out of any one 
integrated application, it performs the logout process for that 
application, then redirects to CAS and ends the CAS session. This is 
causing some problems, in particular because some of our apps 
communicate with others.

In one example, an AJAX 'dashboard' component in SystemA queries SystemB 
(based on the user's identity from the CAS session) and displays summary 
information from SystemB (for the user) in SystemA - if the user visits 
SystemB directly however, then hits 'logout', SystemA can no longer 
query SystemB, thus breaking the dashboard.

In another example, a centralized search system indexes content from 
each of the applications, and at results rendering time, performs 
authorization on results from each system based on the user's 
CAS-identified identity (to determine whether the user has privs to see 
the potential search hit or not). If a user was previously authenticated 
to to CAS and SystemX, but has subsequently logged out, the search 
component then requires them to log back into CAS, even though they've 
never left the search application.

It seems to me, as someone relatively new to this process, that ideally, 
upon application logout, CAS would examine whether or not the user still 
has an active session in any 'registered' applications (perhaps through 
examination of a browser cookie?), and if the user is logging out of the 
last active application session, then the CAS session would be 
terminated, but if there were any other 'registered' application 
sessions still active, then the CAS logout would not occur. (just the 
logout of the app from which the user hit the 'logout' link.) I don't 
want to tread on any sacred CAS/security ground on this, so am appealing 
to those more in the know to let me know if this is mere sacrilege, true 
security risk or perhaps even an impossibility.

Thanks!

More information about the cas mailing list