To be frank, if you're using CAS for authentication, just turn off the IdP's sessions altogether (it's one property to toggle off). CAS should handle the SSO for you. Logout isn't workable anyway (especially with proxied authentication) and a bad reason to deploy a database. -- Scott