I'm currently making tests with the CAS server 3.5.2 and I'm facing problems with the logout. My knowledge in these topics is limited and I don't manage to go further on that point.
I installed a CAS server and I've got 2 instances of the same java application that point to that CAS server (appologize if I don't use the adecuates terms). So, when I access to the protected resources of my client aplication, I'm redirected to the CAS login page, I check in my DB if credentials are ok and then I access the resource. Then, if I access to the same protected resource from the second instance of the client application I'm not redirected to login page. That's perfect.
The problem is situated in the logout. To do so, I first execute a session.invalidate() and access to the CAS logout page. It's ok because, from the application from which I logged out, I must login again to access the protected resources. On the other side, the second application remains connected and I can access the protected resources without login again. Well, I know that the session.invalidate() is local to the first application but I thought that CAS server would have "broadcasted" the desconnexion to the other application but no.
Is there somebody who can give me experience feedback for the single sing out topic ?