...
The user either browses to or is redirected to the CAS Logout page. At this point, all credentials, cookies, and sessions are valid.
Phase 2
CAS receives the logout request from the user and begins the single sign out process:
- CAS sends a logout form post to the url used as a service url when the user authenticated to WebApp1. This form post is a saml assertion indicating a session should be expired and contains the service ticket the user was issued when authenticating to the application.
- WebApp1 receives the request, parses it and looks up the session containing the corresponding service ticket. Once found, it deletes the session. Although the user still has the session set on the browser, future requests to this webapp will result in a redirection to CAS for login.
- CAS sends a logout form post to the url used as a service url when the user authenticated to WebApp1. This form post is a saml assertion indicating a session should be expired and contains the service ticket the user was issued when authenticating to the application.
- WebApp2 receives the request, parses it and destroys the cache entry containing the corresponding service ticket. Although the user and application still share the session any future requests to this webapp will involve a check of the authentication cache. This check will fail, causing the webapp to delete the session and redirect the user to CAS for authentication.
- CAS renders the logout page to the user's browser, including a header deleting the CAS TGT cookie.
- The user is now logged out from CAS and all webapps logged into during the CAS single sign on session.
Supporting Single Sign Out in Applications
...