...
In order for a client application to support single sign out, it must store the service ticket used to authenticate the user along with the local authentication session. It must then be able to access that service ticket from any http request so the local session can be deleted. In practice this means that the client application must either allow programmatic access to all sessions, or the client must implement a shared cache of authentication credentials that are consulted on each page request.
| Code Block | ||
|---|---|---|
| ||
// Step 1: Check for existence of a LogoutRequest form post
if(post.LogoutRequest != null){
serviceTicket = XMLSearch("samlp:LogoutRequest/samlp:SessionIndex");
if (serviceTicket != null)
deleteSessionAndCacheEntry(serviceTicket);
}
//Step 2: Normal CAS process - check for service ticket on URL
if(url.ticket != null) {
HTTPResponse = HTTPGet(CAS_SERVER_URL+VALIDATION_PATH+"?ticket="+url.ticket+"&service="+SERVICE_URL);
userID = XMLSearch("cas:serviceResponse/cas:authenticationSuccess/cas:user");
if(userID != null){
createSessionAndCacheEntry(url.ticket,userID);
redirect(SERVICE_URL);
}
else {
redirectToCASforAuthentication();
}
}
//Step 3: Normal CAS process - check for session
else if(session.ID != null) {
AuthUser = validateSessionAndCacheEntry(session.ID);
if(AuthUser != null) {
request.AuthUser = AuthUser;
}
else {
deleteSessionAndCacheEntry(session.ID);
redirectToCASforAuthentication();
}
}
//Step 4: Normal CAS process - redirect for authentication
else {
redirectToCASforAuthentication();
}
|