Closed martinhaase closed 8 years ago
How should this module support SLO, exactly?
Sorry for being ignorant - I have not studied yet how CAS does SLO. If its via front-channel, I think chances are good that SAML front channel SLO will be doable. I think that SAML back channel/SOAP SLO would not work.
No not at all. I just figured you had a very specific solution in mind. The gist of it is that both CAS and Shib IdP support SLO. Both support front and back-channel (depending on version). So the easy approach would be to let the Shib IdP process its own SPs via its own preferred and configured back-channel logout, and when it's done you route the flow to CAS and let it do the same for CAS apps.
As such, I can't imagine there would be anything for this plugin to do other than maybe document the possibility?
Back there - we actually implemented something simple (R) given that CAS 4.x supports (still tagged experimental) front channel logout. Just put in logout.vm on the host this line:
<meta http-equiv="refresh" content="0; URL=https://cas.university.edu/cas/logout">
This will not do SAML logout propagation to other SPs, but in our case we do not need this feature now.
IdP 3.2.1+ supports SAML SLO. I see that some versions of CAS do support SLO as well. I did a short search in this code but couldn't find SLO or Logout mentioned. Suggestion would be to add this feature.