CAS app logout in IDP SLO

Michael A Grady mgrady at
Tue Mar 3 14:19:44 EST 2020

> On Mar 3, 2020, at 1:12 PM, Cantor, Scott <cantor.2 at> wrote:
> On 3/3/20, 1:39 PM, "users on behalf of Zico" <users-bounces at on behalf of mailzico at> wrote:
>> Seems like... IDP is killing it's own session but IDP generated ticket for CAS app is still there which is allowing user to
>> cas login even after logout from IDP. 
> The CAS ticket is not a long-lived thing, it has nothing to do with sessions or how logout happens. CAS logout is back channel only, it only works if the application isn't maintaining sessions in cookies and/or can't clear them from memory alone.

It doesn't appear to be back-channel only, it appears to in some cases pass a POST back thru the user's browser with a logoutRequest parameter. But it also doesn't seem to be consistent. But at least in some cases, it appears to be propagating the logout to participating CAS services thru such a POST thru the browser.

Michael A. Grady
IAM Architect, Unicon, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list