CAS Single Sign Out

CAS includes a number of security features that are designed to limit the damage caused by a security breach in a client application. Specifically, CAS scopes the CAS TGT cookie, which holds the Single Sign On credentials to only be delivered to the CAS server itself. CAS client applications therefore do not have access to any central credential which could be used to gain access to other CAS protected services. CAS clients instead perform a service ticket validation, which results in CAS providing and authenticated user id to the requesting client application. It is then up to the client application to set up a secure session and handle expiration and renewal of that session.
Therefore, a user's CAS single sign on session consists of a single TGT scoped to the CAS server and numerous sessions scoped to the client application servers. This presents a problem when attempting to log the user out of all services during the CAS logout process.

Single Sign Out Protocol

CAS's approach to single sign out is to store the service url ticket of each service the user logs into during a single sign on session, along with the service ticket used to authenticate the user. When that user then browses to the CAS logout page, the CAS server sends an https form post to each service url with a security assertion containing the service ticket for the user. CAS clients are then expected to parse the logout assertion and destroy the local session for that user.

Sign Out Example

Supporting Single Sign Out in Applications

In order for a client application to support single sign out, it must store the service ticket used to authenticate the user along with the local authentication session. It must then be able to access that service ticket from any http request so the local session can be deleted. In practice this means that the client application must either allow programmatic access to all sessions, or the client must implement a shared cache of authentication credentials that are consulted on each page request.