Central Authentication Service (CAS) Single Logout (SLO) Work Flow

How CAS single logout (SLO) works?

Last Update: February 22, 2022

SLO Overview

NOTE: Single Logout (SLO) need CAS Server support.

With Single Logout (SLO), user gets logged out not only from the CAS Server, but also from all visited CAS client applications.

django-cas-ng proudly support SLO since release 3.5.0. The implementation is part of python-cas .

Technical Detail

If SLO is supported by the CAS Server, the CAS Server MUST send a HTTP POST request containing a logout XML to all service URLs provided to CAS during this CAS session whenever a Ticket Granting Ticket is explicitly expired by the user (e.g. during logout).

CAS Clients that do not support the SLO POST requests MUST ignore these requests. SLO requests MAY also be initiated by the CAS Server upon TGT idle timeout.

Example Flow of Single Logout (SLO)

XML request body in step 5 and 7:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
   ID="[RANDOM ID]" Version="2.0" IssueInstant="[CURRENT DATE/TIME]">
  <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    @NOT_USED@
  </saml:NameID>
  <samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex>
</samlp:LogoutRequest>

Reference

OmniLock - Block / Hide App on iOS

Block distractive apps from appearing on the Home Screen and App Library, enhance your focus and reduce screen time.

DNS Firewall for iOS and Mac OS

Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps