CAS 3.1 is designed to support single sign out. Whenever a Ticket Granting Ticket is explicitly expired, the logout protocol will be initiated. Clients that do not support the logout protocol may notice extra requests in their access logs that appear not to do anything.
Where Single Sign Out Works:
- Clients / Languages whose session management is maintained on the server side. CAS clients can then access session information to end the session.
Where Single Sign Out Doesn't Work:
- Clients / Languages whose only session management consists of cookies. CAS does not have access to the browser's cookies and cannot therefore terminate a session. (however, closing a browser window should do that)
How it works:
When a CAS session ends, it will callback to each of the services that are registered with the system and send a POST request with the following:
<samlp:LogoutRequest ID="[RANDOM ID]" Version="2.0" IssueInstant="[CURRENT DATE/TIME]">
<saml:NameID>@NOT_USED@</saml:NameID>
<samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex>
</samlp:LogoutRequest>
The URL that will be POSTed to is the original service url.
At this moment the session identifier is the same as the CAS Service Ticket (the service ticket should be sufficiently long to be secure). The session identifier should map back to a session which can be terminated (i.e. deleted from a database, expired, etc.)
Alternative future choices for this protocol would be to transfer the LogoutRequest via SOAP (like SAML 1.1 responses).
Disabling Single Sign Out on the Server
Because not all clients support single sign out, you may need to disable it at the server level. Each ArgumentExtractor has a property called "disableSingleSignOut", which if set to true will make sure the callback does not occur.