Chris, I don't think mod_auth_cas supports the (experimental?) SLO feature of CAS. However, if you just want users to be able to log out of your web app *and* terminate their CAS session in the process, you can have Apache + a small script help you out.
For example, at Lafayette, we are using mod_auth_cas in front of Internet2 Grouper. The Apache config (with all the non-essential bits removed) looks like this: <VirtualHost _default_:443> #Custom logout script <Directory /var/www/html/php/logout.php> Order Allow,Deny Allow from all </Directory> #Proxy settings <Proxy *> AddDefaultCharset Off Order deny,allow Allow from all </Proxy> ProxyPass /php/logout.php ! ProxyPass / ajp://localhost:8009/ ProxyPassReverse / ajp://localhost:8009/ # CAS-protect everything else. <Location / > CASScope / Authtype CAS require valid-user </Location> #Redirect the Grouper logout to our custom logout. RewriteEngine on RewriteRule ^/grouper/logout.do$ /php/logout.php [R] </VirtualHost> Grouper runs as a Java servlet, so Apache proxies the HTTP requests to a Tomcat servlet container via AJP. You can see a "Directory" resource that is a custom PHP script. It is not a protected resource. A "Location" stanza is set up to indicate that all other resources ought to be CAS-protected. The "RewriteRule" intercepts the Grouper logout URL and rewrites it the custom logout script. That PHP script is pretty simple: <?php setcookie("MOD_AUTH_CAS_S", "", time()-3600, "/"); header("Location: https://cas.lafayette.edu/cas/logout"); /* Redirect browser */ exit(); ?> It tells the user's browser to delete the mod_auth_cas cookie and then redirects the user's browser to the CAS logout URL. Thanks, Carl ----- Original Message ----- From: "Chris Cheltenham" <cchelten...@swaintechs.com> To: "cas-user" <cas-user@lists.jasig.org> Sent: Tuesday, October 13, 2015 1:28:00 PM Subject: RE: [cas-user] mod_auth_cas I see, thank you Carl. I did not log out so the CAS session was still open. I think that CAS has a 2 hour hard timeout as well. 7200 seconds. This still leaves me with just the issue of this. How to hook SLO to delete the CAS ticket and then prox back to the web server and delete the temp file in mod_auth _cas? -----Original Message----- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Tuesday, October 13, 2015 1:03 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] mod_auth_cas Chris, Are you sure you aren't re-authenticating? If you have a CAS SSO session that lasts longer than the 5 minute session you set for mod_auth_cas, it will log you right back in again without you having to enter any password. To really test the expiration, you need to log into your webapp using CAS, then in another tab, browse to your CAS server's /logout resource to end the SSO session. Then after the mod_auth_cas session expires, you will see that you need to re-authenticate. Thanks, Carl ----- Original Message ----- From: "Chris Cheltenham" <cchelten...@swaintechs.com> To: "cas-user" <cas-user@lists.jasig.org> Sent: Tuesday, October 13, 2015 12:40:14 PM Subject: RE: [cas-user] mod_auth_cas Carl, When we log in an authenticate to CAS I have the following under temp area /var/cache/mod_auth_cas root@test-web:/var/cache/mod_auth_cas > ls -la total 36 drwx------ 2 apache apache 4096 Oct 13 12:36 . drwxr-xr-x 14 root root 4096 Apr 16 19:22 .. -rw------- 1 apache apache 262 Oct 13 12:36 6bbc774d3d53b030bf57040c1f698512 -rw------- 1 apache apache 32 Oct 13 12:36 .f3d79756914864ade3c7f6b8015e530a -rw------- 1 apache apache 17 Oct 13 12:36 .metadata root@test-web:/var/cache/mod_auth_cas > I expect after 5 minutes that it forces me to re authenticate. I expect after 10 minutes it does the same a deletes the file 6bbc774d3d53b030bf57040c1f698512 I expact the Cas clean interval to delete it all withint 10 seconds of the session file expiring. What I am getting is nothing expires and nothing times out ever unless I close IE. I hate IE but that what the customer uses. Thanks -----Original Message----- From: Waldbieser, Carl [mailto:waldb...@lafayette.edu] Sent: Tuesday, October 13, 2015 12:36 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] mod_auth_cas Chris, Can you provide more detail? I.e. what is your expectation as to what is going to happen, and what actually happens? Thanks, Carl Waldbieser ITS Systems Programmer Lafayette College ----- Original Message ----- From: "Chris Cheltenham" <cchelten...@swaintechs.com> To: "cas-user" <cas-user@lists.jasig.org> Sent: Tuesday, October 13, 2015 12:32:04 PM Subject: [cas-user] mod_auth_cas Hello, In apache mod_auth_cas timeout parameters do not work. Does anyone know why? None of these work: CASTimeout 600 CASIdleTimeout 300 CASCacheCleanInterval 10 Thank You; Chris Cheltenham cchelten...@swaintechs.com<mailto:cchelten...@swaintechs.com> SwainTechs 10 Walnut Grove Rd Suite 110 Horsham, PA 19044 888-905-5767 / X407 -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cchelten...@swaintechs.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: cchelten...@swaintechs.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user