CAS Protocol Support for Logout URLs

Idea created by Michael Richards on Mar 30, 2017
    This idea has been developed and deployed to Canvas


    Currently Canvas only supports the default behavior of RubyCAS. RubyCAS itself has support in its project for logout URLs to adhere to specification 2.3.1 in the CAS protocol (CAS - CAS Protocol Specification ). The comments on lines 84 and 85 of this page back this up (rubycas-client/client.rb at 7b67c8f1b5515ee4e28479d640d2da0a5aadfbe0 · rubycas/rubycas-client · GitHub ).


    The fix for this issue is relatively simple since RubyCAS already has support and Canvas just needs to utilize the support that is already extended through RubyCAS. I have tested a fix to change the behavior to follow the JASIG CAS logout parameter.


    The file that needs to be modified is the cas.rb file. (canvas-lms/cas.rb at 2f7557fc4580893dcec3689d5c5720d2935e74e7 · instructure/canvas-lms · GitHub )


    I tested this code in a locally installed version of canvas:

         # 03/29/2017 by Mike Richards
        # Change logout redirect behavior issues by swapping params in client.logout_url().
        # Moving forward to support both RubyCAS and JASIG CAS a new form element should be added to the authentication selection
        # and then have the user_logout_redirect function use an additional parameter to determine which logout_url call to make.
        # ORIGINAL CODE:    client.logout_url(controller.cas_login_url(id: self), nil, controller.cas_login_url(id: self))

    def user_logout_redirect(controller, _current_user)

        client.logout_url(nil, controller.cas_login_url(id: self), controller.cas_login_url(id: self))


    With this code the logout redirects were performed correctly with our JASIG CAS implementation. I think the best way to implement this into Canvas is to make it a choice when you are setting up CAS as an authentication method. The value of the choice should then get passed to the user_logout_redirect which can then use a conditional statement to determine the correct version of client.logout_url to call.


    This issue is critical for our institution. When users in our system logout they are sent to the CAS logout page and not redirected back to the log in screen. As a result it requires our users to navigate through 5 different pages just to get back to the log in portion. It is also confusing for users since the only login page that they can reach from the CAS logout page is for CAS itself and not for a specific service so it just allows them to create their ticket, whereas one would expect that the next login screen that is reached would return you back to the service you were attempting to log in to. We also feel there is a security implication, if a user gets caught in the confusion of having to navigate all of those pages to return to Canvas they might not be aware of how to log out of the generic CAS ticket that was generated.




    Comments from Instructure


    For more information, please read through the Canvas Production Release Notes (2017-08-26)