RSS

CAS Single Logout (SLO) Work Flow

How CAS single logout (SLO) works?

NOTE: Single Logout (SLO) need CAS Server support.

With Single Logout (SLO), user gets logged out not only from the CAS Server, but also from all visited CAS client applications.

django-cas-ng proudly support SLO since 3.5.0. The implementation is part of python-cas.

Technical Detail

If SLO is supported by the CAS Server, the CAS Server MUST send a HTTP POST request containing a logout XML to all service URLs provided to CAS during this CAS session whenever a Ticket Granting Ticket is explicitly expired by the user (e.g. during logout).

CAS Clients that do not support the SLO POST requests MUST ignore these requests. SLO requests MAY also be initiated by the CAS Server upon TGT idle timeout.

Example Flow of Single Logout (SLO)

CAS single logout flow

XML request body in step 5 and 7:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   ID="[RANDOM ID]" Version="2.0" IssueInstant="[CURRENT DATE/TIME]">
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    @[email protected]
  </saml:NameID>
  <samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex>
</samlp:LogoutRequest>

Reference