Redirect on logout for idp3 and CAS?
Marvin Addison
marvin.addison at gmail.com
Tue Apr 12 12:10:57 EDT 2016
On Tue, Apr 12, 2016 at 10:52 AM O'Dowd, Josh <Josh.O'Dowd at mso.umt.edu>
wrote:
> Does a 'return' parameter in the logout URL seem a prudent enhancement ,
> since the NativeSP has that functionality and Jasig CAS offers that
> capability as well?
>
I'm not in favor of it. The return parameter was never specified in the CAS
protocol v2 spec, and its introduction into the Jasig CAS server was (to
me) a curious addition. I'm unaware of the use cases that drove its
creation, but I am aware that it was the source of at least one security
issue (XSS vector). Maybe if you could articulate the value I'd be more
willing, but I just don't understand what value it provides.
M <users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160412/d67dec5b/attachment.html>
More information about the users
mailing list