Re: [cas-user] logout of CASified Zimbra web application does not work
Folks, We've CASsified Zimbra since 6.x and logout works without problems. As andrew said in 2), When a user log out from zimbra, a simple html logout page is displayed : this page is not on the same virtual host as zimbra and I've verified that all zimbra related cookies got destroyed. This logout page explain that the application is logged out but SSO session is still alive. Despite of that, some users does not understand why they can return to zimbra without authentication (in fact, authentication is transparent through CAS)... I'm afraid that SSO concept is not always well understood. Rgds. Le 03/01/2012 19:14, Andrew Petro a écrit : Jon, Merely changing a logout link in the UI to point to the CAS server logout URL is, as you've discovered, insufficient where CAS's single logout callbacks aren't implemented. Rather, a Zimbra logout link should address a Zimbra server endpoint which terminates the application-local session. And then it should do something else, such as 1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and have CAS display its SSO session ended message, or 2) Display a page explaining to the user that the Zimbra-local session has been terminated but that the single sign-on session continues, and inviting the user to click a link to also log out of CAS Either of these options could be implemented in a trivial JSP. Which of those options to pick depends mostly on what user expectations you've set, by the presentation of the logout link in the UI (was it "log out of Zimbra" or was it "log out of CAS"?) and by the way other logout links work in applications in your environment. Kind regards, Andrew On Jan 3, 2012, at 11:14 AM, Jon Detert wrote: I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these directions: https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0 Authentication and 'single sign-on' works great. However, zimbra users can not logout of zimbra the 'normal' way: 0) the zimbra web app has a 'Logout' link. The CASificiation procedure has you redefine the URL for that link to https://yourCasServerFQDN/cas/logout 1) when a user clicks the zimbra 'Logout' link, they are taken to the correct CAS logout URL 2) if the user then returns to zimbra, they are allowed in without re-authentication. I.e. the zimbra webapp's logout link doesn't really work. To really log out, the user must either: a) close the web browser entirely (meaning all windows and/or tabs), or b) clear the browser's history,cache,and credentials, or c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies The CAS client I'm using with Zimbra is version 3.1.8. Any idea how I can make it possible for a zimbra user to logout by clicking a link? Thanks, Jon -- You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] logout of CASified Zimbra web application does not work
Jon, Merely changing a logout link in the UI to point to the CAS server logout URL is, as you've discovered, insufficient where CAS's single logout callbacks aren't implemented. Rather, a Zimbra logout link should address a Zimbra server endpoint which terminates the application-local session. And then it should do something else, such as 1) redirect to https://yourCasServerFQDN/cas/logout to end the CAS session and have CAS display its SSO session ended message, or 2) Display a page explaining to the user that the Zimbra-local session has been terminated but that the single sign-on session continues, and inviting the user to click a link to also log out of CAS Either of these options could be implemented in a trivial JSP. Which of those options to pick depends mostly on what user expectations you've set, by the presentation of the logout link in the UI (was it "log out of Zimbra" or was it "log out of CAS"?) and by the way other logout links work in applications in your environment. Kind regards, Andrew On Jan 3, 2012, at 11:14 AM, Jon Detert wrote: > I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these > directions: > > https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0 > > Authentication and 'single sign-on' works great. > > However, zimbra users can not logout of zimbra the 'normal' way: > > 0) the zimbra web app has a 'Logout' link. The CASificiation procedure has > you redefine the URL for that link to https://yourCasServerFQDN/cas/logout > > 1) when a user clicks the zimbra 'Logout' link, they are taken to the correct > CAS logout URL > > 2) if the user then returns to zimbra, they are allowed in without > re-authentication. > > I.e. the zimbra webapp's logout link doesn't really work. To really log out, > the user must either: > a) close the web browser entirely (meaning all windows and/or tabs), or > b) clear the browser's history,cache,and credentials, or > c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies > > The CAS client I'm using with Zimbra is version 3.1.8. > > Any idea how I can make it possible for a zimbra user to logout by clicking a > link? > > Thanks, > > Jon > > -- > You are currently subscribed to cas-user@lists.jasig.org as: ape...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] logout of CASified Zimbra web application does not work
I have Zimbra 'ZCS' version 7.1.3 CASified with CAS Server v3.4.11 via these directions: https://wiki.jasig.org/display/CAS/CASifying+Zimbra+6.0 Authentication and 'single sign-on' works great. However, zimbra users can not logout of zimbra the 'normal' way: 0) the zimbra web app has a 'Logout' link. The CASificiation procedure has you redefine the URL for that link to https://yourCasServerFQDN/cas/logout 1) when a user clicks the zimbra 'Logout' link, they are taken to the correct CAS logout URL 2) if the user then returns to zimbra, they are allowed in without re-authentication. I.e. the zimbra webapp's logout link doesn't really work. To really log out, the user must either: a) close the web browser entirely (meaning all windows and/or tabs), or b) clear the browser's history,cache,and credentials, or c) delete the browser's ZM_AUTH_TOKEN and JSESSIONID cookies The CAS client I'm using with Zimbra is version 3.1.8. Any idea how I can make it possible for a zimbra user to logout by clicking a link? Thanks, Jon -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
