soupmatt
commented
11 years ago I'm not sure I understand what exactly you are trying to accomplish here. Could you add a test case that demonstrates the bug you are trying to fix?
Closed KrisSiegel closed 8 years ago
soupmatt
commented
11 years ago I'm not sure I understand what exactly you are trying to accomplish here. Could you add a test case that demonstrates the bug you are trying to fix?
KrisSiegel
commented
11 years ago Sure. I have a short term deliverable to complete but will give you a bunch of details shortly.
KrisSiegel
commented
11 years ago Matt, this "fix" turned out not to entirely solve my issue. So this should probably be closed but I think there is still an issue to resolve here as I had to vendor rubycas-client and modify it locally to get it to work for us with Jasig's Cas Server (3.3.1 if I remember correctly).
So our web application is actually displayed in iframes in 3 separate places. So each load it hits CAS, gets a new ticket or uses the existing ticket and moved along. When the logout message is sent to our web application the ticket sent NEVER matches the currently used ticket (I'm assuming this is because CAS server has generated a new ticket where as we were re-using an old one since we have authenticate_on_every_request turned off).
The solution that we're using locally is inside of the filter method declaration. Specifically we're doing this now (added the reset_session; left the old call):
if single_sign_out(controller) controller.send(:reset_session) controller.send(:render, :text => "CAS Single-Sign-Out request intercepted.") return false end
I am unsure if this is an appropriate fix or not; I will see if I can create a small sample application with this behavior to show you.
KrisSiegel
commented
8 years ago I just noticed this PR was still open but I guess that's not entirely uncommon here as this repo looks mostly abandoned now. So I'm just going to close this.
When using single sign off the RubyCAS gem looks for the ticket passed to the web application in the logout message. Unfortunately this will be the latest ticket rather than the ticket the web application is most likely using when authenticate_on_every_request is disabled making it impossible to end the current session.
This change looks at the authenticate_on_every_request configuration property to choose the correct experience to avoid the issue with single sign off enabled and authenticate on every request disabled.
Arguably maybe logoff should always be called; I'm not sure what would be most appropriate with CAS but this change resolved our sign off issues so please let me know if there are any glaring omissions here.