/
CAS Single Logout (SLO) to be Disabled

CAS Single Logout (SLO) to be Disabled

Per the CAS Protocol, the /logout endpoint is responsible for destroying the current Single Signon (SSO) session. UH Login's CAS currently supports SLO.

However, because SLO may affect other applications using SSO[*], SLO will be disabled in future deployments of CAS.

It is currently disabled in the following CAS environment:

  • https://cas-future-test.its.hawaii.edu (currently CAS version 6.3)

When CAS is updated to 6.3 in our production environment on 2021-08-15, it will also be disabled there as well.

  • https://authn.hawaii.edu

This will be consistent with the SLO policy already in effect for our Shibboleth IdP SSO service.

[*] From the CAS documentation for Single Logout (SLO):

When a CAS session ends, it notifies each of the services that the SSO session is no longer valid, and that relying parties need to invalidate their own session. Remember that the callback submitted to each CAS-protected application is a notification; nothing more. It is the responsibility of the application to intercept that notification and properly destroy the user authentication session, either manually, via a specific endpoint or more commonly via a CAS client library that supports SLO.

Also note that since SLO is a global event, all applications that have an authentication record with CAS will by default be contacted, and this may disrupt user experience negatively if those applications are individually distinct from each other. As an example, if a user has logged into a portal application and an email application, logging out of one through SLO will also destroy the user session in the other which could mean data loss if the application is not carefully managing its session and user activity