Unicon / shib-cas-authn3

Integrates an external CAS Server and Shibboleth IdPv3.
Apache License 2.0
22 stars 16 forks source link

Support Single Logout #20

Closed martinhaase closed 8 years ago

martinhaase commented 8 years ago

IdP 3.2.1+ supports SAML SLO. I see that some versions of CAS do support SLO as well. I did a short search in this code but couldn't find SLO or Logout mentioned. Suggestion would be to add this feature.

mmoayyed commented 8 years ago

How should this module support SLO, exactly?

martinhaase commented 8 years ago

Sorry for being ignorant - I have not studied yet how CAS does SLO. If its via front-channel, I think chances are good that SAML front channel SLO will be doable. I think that SAML back channel/SOAP SLO would not work.

mmoayyed commented 8 years ago

No not at all. I just figured you had a very specific solution in mind. The gist of it is that both CAS and Shib IdP support SLO. Both support front and back-channel (depending on version). So the easy approach would be to let the Shib IdP process its own SPs via its own preferred and configured back-channel logout, and when it's done you route the flow to CAS and let it do the same for CAS apps.

As such, I can't imagine there would be anything for this plugin to do other than maybe document the possibility?

martinhaase commented 8 years ago

Back there - we actually implemented something simple (R) given that CAS 4.x supports (still tagged experimental) front channel logout. Just put in logout.vm on the host this line: <meta http-equiv="refresh" content="0; URL=https://cas.university.edu/cas/logout"> This will not do SAML logout propagation to other SPs, but in our case we do not need this feature now.