Hello, We are using CAS 5.3.3 and delegating authentication to a 3rd party SAML2 identity provider. In this case, CAS is acting as a service provider to the identity provider. (https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html) We are having a problem with terminating sessions and redirecting users back to the service that issued the logout request. There are 3 sessions: the application session, the CAS session, and the IdP session. It doesn't necessarily matter which order the sessions get terminated, but they all need to be terminated. For example, here is what a desired logout flow might entail: 1. Click logout within application, which terminates the application session 2. Get redirected from the application to the CAS /logout URL, which terminates the CAS session 3. Get redirected to the 3rd party IdP, and terminate the IdP session 4. Get redirected back to the application login page that initially issued the logout request
We prefer to have a pure CAS configuration solution, meaning that we want all the configuration for this process to reside within CAS. We have tried using cas.logout.followServiceRedirects=true, which will redirect us back to the application that initially issued the logout request, but it will stop there and not terminate the IdP session. We have also tried using cas.logout.redirectUrl=<IdP logout URL> which will terminate all three sessions, but it will not redirect us back to the application that initially issued the logout request. Using a combination of these two does not seem to work. It seems like followServiceRedirects takes precedence over redirectUrl. We are doing this in a test environment, so there is no concern about breaking production. Any help on this would be greatly appreciated. Please let me know if you need any additional information. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a247bdb6-4392-4d27-a5d9-c7ef4eedb7e6%40apereo.org.
