Posted by jwbuzz on June 1, 2009 at 9:01pm
Jump to:
| Project: | CAS |
| Version: | 5.x-4.x-dev |
| Component: | Code |
| Category: | support request |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
I'm integrating my Drupal site with an existing CAS server. Everything is set up at this point, but I ran into an issue in testing. Here are the steps I take. 1. Log into Drupal site 2. Link to an external CAS-ified site that is a Jasper reports server. 3. Log out of the Jasper server (which takes me back to CAS login screen) 4. Return to Drupal site 5. Instead of prompting to login again, Drupal site still shows as logged in. Any pointers?
Comments
#1
I should say in step 4 that I don't log in again at that point.
#2
Unless you have a cas server that supports "single sign out", this is kind of expected behavior. When jasper redirects to your cas server drupal has know way of knowing that occured. Single sign out is a fairly new development in CAS. Normally the CAS server will direct you to close your browser, which (if your settings.php file is configured correctly) should also close your drupal session. You may need to speak to your cas administrators about single-sign-out support for CAS.
Dave
#3
Well... there are several other sites hooked into this CAS server and it works for all other sites. I can log out of any of the sites (including the Drupal site) and all the other sites recognize that I've been logged out. This really feels like there is something related to this module causing the problem. I'll try to dig into the source code and see if I can figure something out. It feels like the CAS module is saying that a token is valid even if it's not.
#4
The 5.x current releases of the cas module do not yet support single sign out. The only place where that code is currently is in HEAD. I'll work on rolling building a new 5.x release of cas here soon that will include this functionality.
#5
So if I use a 5.x dev version, should that get it? Any idea what the time frame on "soon" would be. Thanks for the info.
#6
I just created a new dev snapshot release that includes the code for 5.x It should build sometime tonight. You should be able to download and test tommorrow. If testing goes well, I'll release a beta from the dev release this week.
#7
That's great. Thanks a lot. Forgive my ignorance on this, but with many projects I see a nightly dev version to download. I don't don't see one for CAS. Am I just missing it or do I just need to do a CVS checkout? Not sure how to get these changes.
#8
Turns out I needed to enable them for the new branches I created. They are there now.
Dave
#9
Ok... got it downloaded and tested and I still see the same behavior. I checked the "enable single-sign out" box. If I log in to the Drupal site, link to another CAS site, log out of that CAS site, and go back to the Drupal site I'm still logged in.
#10
Is there any way to have the CAS module intercept every single request and check if the user is logged out verses waiting on the call back from the CAS server?
#11
The cas module doesn't know when you've logged out of the report server. How can it check every request? The problem is that you're on another site (not drupal) when you log out. Hopefully someone else who has direct experience with single sign out will chime in here.
#12
Right, but when I log out of the report server, doesn't that set a token (or invalidate the token) that the CAS module could then check for next time the user visits the Drupal site? Sorry... I know some of this is because of my inexperience with SSO. What exactly did the single sign out code you just added accomplish? Does it respond to a callback from the CAS server? Would you be interested in visiting offline via Skype or IM? I could probably get some compensation approved. Then we could report our ultimate findings here.
#13
Yes the code that I posted is supposed to respond to a logout request by the CAS server. Make sure you ran update.php after installing it, cause it needs to create some tables that keep track of the ticket.
So when you get redirected to the cas server and log in, the cas server sets a cookie that is only available to the cas server. It also generates, stores a one-time use ticket tied to the service that is authenticating via CAS (In this case drupal). This ticket is passed on the url when the CAS server tells the client to redirect back to drupal. Drupal then checks that ticket to find the logged in user. Once this check is performed, the ticket is no longer valid for testing authentication, but it is saved by the cas server, and the cas module also saves it. Supposedly in single sign out, the CAS server will send traffic to the drupal site saying, "Log this ticket out". The drupal module looks up the ticket and destroys the session for that user.
A similar process happens with the report server, but the drupal module never sees any of this traffiic, So there is no cookie or ticket that drupal sees that it can use to make such a test.
I don't have access to Skype or IM at work but you can send me your email via the drupal contact form and I'll try and dialogue with you that way on this issue.
#14
Ok... I think I have some resolution on this. The new code with the logout works now. I was using it on a local dev environment with a VPN connection. I had to use the VPN to access our test CAS server as it's not publicly available. I deployed everything to my true test environment and it works great. If I tail the Apache logs, I see the post from the CAS server when I logout of one of the other sites. So it's doing the logout callback properly. Thanks for all the help on this.
#15
Closing, because it turned out to be vpn related.