Redirect on logout for idp3 and CAS?

Cantor, Scott cantor.2 at
Tue Apr 12 12:15:53 EDT 2016

> I'm not in favor of it. The return parameter was never specified in the CAS
> protocol v2 spec, and its introduction into the Jasig CAS server was (to me) a
> curious addition. I'm unaware of the use cases that drove its creation, but I
> am aware that it was the source of at least one security issue (XSS vector).
> Maybe if you could articulate the value I'd be more willing, but I just don't
> understand what value it provides.

I was about to respond to my own note by highlighting that there are really two big cases:

- reacquiring full frame UI
- state management

The former is a problem for SLO, as I said, and the latter is an example of the behavior I was just referring to, where the final cleanup is post- and not pre-

SAML supports this nominally because it does propagate RelayState back, but it leads to serious bugs where the application that starts the logout stays logged in if it doesn't get a response back, and that's bad. So while it "works" in SAML, it's bad design.

It is also an XSS issue, yes. The Shibboleth SP has hooks for preventing that, but most people don't configure them.

-- Scott

More information about the users mailing list