Redirect on logout for idp3 and CAS?

Marvin Addison marvin.addison at
Tue Apr 12 12:10:57 EDT 2016

On Tue, Apr 12, 2016 at 10:52 AM O'Dowd, Josh <Josh.O'Dowd at>

> Does a 'return' parameter in the logout URL seem a prudent enhancement ,
> since the NativeSP has that functionality and Jasig CAS offers that
> capability as well?

I'm not in favor of it. The return parameter was never specified in the CAS
protocol v2 spec, and its introduction into the Jasig CAS server was (to
me) a curious addition. I'm unaware of the use cases that drove its
creation, but I am aware that it was the source of at least one security
issue (XSS vector). Maybe if you could articulate the value I'd be more
willing, but I just don't understand what value it provides.

M <users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list