Folks,
We've CASsified Zimbra since 6.x and logout works without problems. As
andrew said in 2), When a user log out from zimbra, a simple html logout
page is displayed : this page is not on the same virtual host as zimbra
and I've verified that all zimbra related cookies got destroyed. This
logout page explain that the application is logged out but SSO session
is still alive. Despite of that, some users does not understand why they
can return to zimbra without authentication (in fact, authentication is
transparent through CAS)... I'm afraid that SSO concept is not always
well understood.
Rgds.
Le 03/01/2012 19:14, Andrew Petro a écrit :
Jon,
Merely changing a logout link in the UI to point to the CAS server logout URL
is, as you've discovered, insufficient where CAS's single logout callbacks
aren't implemented.
Rather, a Zimbra logout link should address a Zimbra server endpoint which
terminates the application-local session. And then it should do something
else, such as
1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and
have CAS display its SSO session ended message, or
2) Display a page explaining to the user that the Zimbra-local session has been
terminated but that the single sign-on session continues, and inviting the user
to click a link to also log out of CAS
Either of these options could be implemented in a trivial JSP.
Which of those options to pick depends mostly on what user expectations you've set, by the
presentation of the logout link in the UI (was it "log out of Zimbra" or was it "log
out of CAS"?) and by the way other logout links work in applications in your environment.
Kind regards,
Andrew
On Jan 3, 2012, at 11:14 AM, Jon Detert wrote:
I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these
directions:
https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0
Authentication and 'single sign-on' works great.
However, zimbra users can not logout of zimbra the 'normal' way:
0) the zimbra web app has a 'Logout' link. The CASificiation procedure has you
redefine the URL for that link to https://yourCasServerFQDN/cas/logout
1) when a user clicks the zimbra 'Logout' link, they are taken to the correct
CAS logout URL
2) if the user then returns to zimbra, they are allowed in without
re-authentication.
I.e. the zimbra webapp's logout link doesn't really work. To really log out,
the user must either:
a) close the web browser entirely (meaning all windows and/or tabs), or
b) clear the browser's history,cache,and credentials, or
c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies
The CAS client I'm using with Zimbra is version 3.1.8.
Any idea how I can make it possible for a zimbra user to logout by clicking a
link?
Thanks,
Jon
--
You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
