I am using the Jasig CAS .NET client to authenticate in my application using SSO from a server. I have implemented everything just like the documentation says and added [Authorize] in all my controllers.
Log in is working fine from my app and the one I'm trying to integrate with. I can log in from either app and the user is authenticated.
The problem is with the log out. If I log out from the other app, the user will still have access in my application.
Is this because CAS log off can't delete the cookies? Or am I doing something wrong?
You are still logged in to your web app because the authentication information is stored in a cookie and your web app (or the .NET CAS client) does not check on every page request whether you're still logged in on the CAS server. The cookie is used for that until it expires.
So basically the CAS server has to have a Single Sign-Out page which logs out the user from all web applications using that CAS server, including yours. The CAS server has to be configured to call a Logout page in your web app, which in turn abandons the ASP.NET session and deletes the authentication cookie. The
CasAuthentication.SingleSignOut()
method does this for you.