It seems like the answer to your Single Sign Out issue in a load balanced environment is fairly simple. Use a shared session mechanism instead of using sticky sessions for your load balanced servers. Here's a couple shared session managers for Tomcat that I know of: http://code.google.com/a/apache-extras.org/p/tomcat-cassandra/ http://code.google.com/p/memcached-session-manager/
It's my understanding that most organizations are moving away from sticky sessions and going to shared sessions as there are a lot of advantages to it. For example, in a shared session environment you can add/remove servers from the cluster without the possibility of a user losing their session, something you can't do in a sticky session environment. -----Original Message----- From: sol myr [mailto:solmy...@yahoo.com] Sent: Sunday, December 09, 2012 2:36 AM To: cas-user@lists.jasig.org Subject: [cas-user] Single Sign Out - and load balancer Hi, We have a single CAS server, but our *business* applications is clustered & behind a Load Balancer (HAProxy). We were disappointed to learn that single sign *out* fails on such architecture, because when CAS sends the "logout" notification to the application, the notification goes to the Load Balancer which forwards it to a single application (not to all of them). It's a known issue: https://issues.jasig.org/browse/CAS-742 https://issues.jasig.org/browse/CAS-832 http://comments.gmane.org/gmane.comp.java.jasig.cas.devel/1495 Would anyone please happen to know of patched to the CAS code - either open-source or commercial - that solve this (e.g. implementing the CAS-742 suggestion, to distinguish between "redirect" address and "logout notification" address)? Or do you know of some other easy patch which you use in your application? Frankly I don't understand how CAS can be used so widely without solving such a fundamental problem. In over a decade in IT, most of my applications were load-balanced, and all of them had "logout". It simply doesn't make sense for developers to give up load balancing, or give up "logout".... thanks very much -- You are currently subscribed to cas-user@lists.jasig.org as: edomazli...@tacomacc.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user