GithubHelp home page GithubHelp logo

Single Sign Out about django-cas-ng HOT 4 CLOSED

django-cas-ng avatar django-cas-ng commented on June 13, 2024
Single Sign Out

from django-cas-ng.

Comments (4)

nitmir avatar nitmir commented on June 13, 2024

The jasig CAS (the mainline implementation) send the logout request in a POST parameter called logoutRequest.
You can also see that phpCAS use this POST parameter to see if the request is a logout request https://github.com/Jasig/phpCAS/blob/master/source/CAS/Client.php#L1696.
Idem for rubycas-client-rails https://github.com/rubycas/rubycas-client-rails/blob/master/lib/rubycas-client-rails.rb#L290 or the omniauth-cas client https://docs.omniref.com/ruby/gems/eriko-omniauth-cas/1.0.5/symbols/OmniAuth::Strategies::CAS::LogoutRequest#line=34

I think it could be easier to have mama-cas to send the POST parameter than to modify all CAS clients.

We should not be checking for logout request if CAS_VERSION < 3 as it is only suported by CAS_VERSION == 3 and SAML 1.1.

I personally do not use django-mama-cas because I found its policy about who can get a ProxyGrantingTicket way too permissive. The mainline jasig CAS server require each registered application in the registry to be explicitly configured to allow for proxy authentication.
For your information (I do not know if you are familiar with the CAS protocol) once something get a ProxyGrantingTicket for a user, it can connect pretty much to every apps using the CAS as this user. At the current time, every services allowed to authenticate against the CAS (ie inside MAMA_CAS_VALID_SERVICES) are de-facto allowed to retrieve a PGT jbittel/django-mama-cas#26

from django-cas-ng.

manelclos avatar manelclos commented on June 13, 2024

Hi,

Yes, I see your point. Let me ask django-mama-cas project about that.

Thanks for the prompt reply!

from django-cas-ng.

jbittel avatar jbittel commented on June 13, 2024

I am planning to rework how services are validated in django-mama-cas to allow for per-service configuration, including allowing/disallowing proxy authentication. Thanks for the reminder!

from django-cas-ng.

manelclos avatar manelclos commented on June 13, 2024

Hi, this has been fixed in django-mama-cas, thank you!

jbittel/django-mama-cas#27

from django-cas-ng.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.