I'm not sure what you mean by the logoutUrl "supporting" SLO. If you mean will SLO suddenly start working just because you put a value in that property, then the answer is no.
The logoutUrl property is exactly what the documentation says it is -- a way to let an application receive a logout request from the CAS server when the application is using a CAS client that doesn't implement logout requests itself (in this case, mod_auth_cas). It's completely up to you to actually implement the logout process. So, since "logging out" of mod_auth_cas involves manually deleting the "MOD_AUTH_CAS_S" cookie from the browser, then I would suppose you could make your logoutUrl point to "https://your.web.server/logout.html"; or something, and make logout.html contain some JavaScript to delete the cookie: <html> <head></head> <body> <script>document.cookie = 'MOD_AUTH_CAS_S=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';</script> <p>Goodbye!</p> </body> </html> Note that the cookie is set relative to the path you secured with mod_auth_cas, so you should put the logout.html file in the same directory that you put your protected content in. This means that if you have multiple directories protected by mod_auth_cas on the same server, you'll need to put a logout.html into each one of them (or make the JavaScript smarter than what's shown above). Note that mod_auth_cas itself DOES NOT know anything about the logoutUrl. This is basically a hack to get around the fact that mod_auth_cas does not implement logout. --Dave P.S. - I have not tried any of the above, so you may need to play with it a bit to get it to work. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • [email protected] [image: The New School] On Thu, May 24, 2018 at 9:45 AM Ramakrishna G <[email protected]> wrote: > Hey David, > > Firstly thanks for your response and clarifying few things. My query to > you now is > > Does logoutUrl property support SLO? If so, which all cookie should I be > deleting? > > > > On Thu, May 24, 2018 at 6:17 PM, David Curry <[email protected]> > wrote: > >> What do you mean when you say you are "using mod_auth_cas for reverse >> proxy to my cas server"? Mod_auth_cas is not a (reverse) proxy. It's simply >> a way to control access to content on an Apache web server using CAS >> authentication. Think of it as an alternative to HTTP Basic Authentication. >> It seems like this was explained in an earlier thread; if you want to >> spread the load across multiple CAS servers, you should just stick a load >> balancer (NGINX, F5, etc.) in front of them. See, for example, the picture >> here >> https://apereo.github.io/cas/development/planning/High-Availability-Guide.html >> . >> >> As for logging out, mod_auth_cas does not support SLO. This is documented >> in the README file under "Known Limitations". If you really want to >> implement logout with mod_auth_cas, you would somehow have to arrange for >> the logout process (which mod_auth_cas is completely unaware of, since it >> doesn't have its own "logout" link and it doesn't support SLO) to delete >> the "MOD_AUTH_CAS_S" cookie from the user's browser. You MIGHT be able to >> make use of the "logoutUrl" property in the service registry ( >> https://apereo.github.io/cas/development/installation/Logout-Single-Signout.html#service-endpoint-for-logout-requests) >> to accomplish this, with the page that URL points do taking care of >> deleting the cookie. >> >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 • [email protected] >> >> [image: The New School] >> >> >> On Thu, May 24, 2018 at 2:13 AM Ramakrishna G <[email protected]> wrote: >> >>> Hello, >>> >>> I am using Mod_auth_cas for reverse proxy to my cas server. How do I >>> achive slo and sso using mod_auth_cas? Also when I logout I am still able >>> to access my application without authentication. Is this the way >>> mod_auth_cas works? >>> >>> Thanks >>> Ramakrishna G >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P_19UfBq%2BsefvrBRD9UBOJMQHQqJj%3DmJzvm3Op6JsSUAQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANEnPPGQ66kyva4Wgvm8-25-Up0Fdz-7MZLYk-PdUF5dA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9pD%3DC4t-THA6gX-V2Uh7yB8brVG0tk1sNYk0iZ-7nGtQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9pD%3DC4t-THA6gX-V2Uh7yB8brVG0tk1sNYk0iZ-7nGtQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMOJJ8GQV7YaAuKnm4xN%3DWXZ5i%2BuOQXaw48USuVR5MTYA%40mail.gmail.com.
