Central Authentication Service (CAS) Single Logout (SLO) Work Flow
NOTE: Single Logout (SLO) need CAS Server support.
With Single Logout (SLO), user gets logged out not only from the CAS Server, but also from all visited CAS client applications.
django-cas-ng proudly support SLO since release 3.5.0. The implementation is part of python-cas .
If SLO is supported by the CAS Server, the CAS Server MUST send a HTTP POST request containing a logout XML to all service URLs provided to CAS during this CAS session whenever a Ticket Granting Ticket is explicitly expired by the user (e.g. during logout).
CAS Clients that do not support the SLO POST requests MUST ignore these requests. SLO requests MAY also be initiated by the CAS Server upon TGT idle timeout.
Example Flow of Single Logout (SLO)
XML request body in step 5 and 7:
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="[RANDOM ID]" Version="2.0" IssueInstant="[CURRENT DATE/TIME]"> <saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> @NOT_USED@ </saml:NameID> <samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex> </samlp:LogoutRequest>
Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps