Child pages
  • CAS Protocol Revision Working Group
Skip to end of metadata
Go to start of metadata


The CAS Protocol Revision Working Group is collaborating on updating the CAS Protocol such that it:

  • is consistent with current Jasig CAS 3.x server behavior (de facto standard), and adds
  • attributes to CAS payload  (a common customization)

The current status of the 3.0 spec draft can be found in the official GitHub repository at

The working draft is in Google Docs:


CAS-1284 - Getting issue details... STATUS

Related CAS4.0 issue: CAS-1283 - Getting issue details... STATUS



The main work of covering all the current (3.x) features is completed, but needs review and discussion.  The following is a brief summary of what was added:

  • /login parameters "METHOD", "rememberMe",
  • /logout parameter "service" with a description of its implication to the behaviour
  • SLO completely added. Also with an on section 4 which briefly describes the Single Log Out feature and security implications.
  • cas attributes in responses
  • /proxyValidate added
  • /samlValidate added (it is currently in 3.5, which this CAS Spec covers. In 4.0, this might be removed - to be discussed) 

Release Process

  • Declare Release Candidate Status - notify cas-dev, cas-user, cas-announce?
  • Community Review/Feedback - April 8th - April 20nd
  • Committer/Contribute Consensus Vote April 22nd - April 26th

Open Issues

  • Process for release (committer vote?)
  • When to release?
  • License - Apache2, Creative Commons
  • Copyright - Apereo?

Next Steps


  • No labels


  1. So can we change the license from Jale to Apache-Commons in the doc? Is that bullet proof?


  2. I have an addition to "Appendix C: Logout XML document". The example code is missing the namespace definitions.

    Should actually be something like:

    <samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="[RANDOM ID]" Version="2.0" IssueInstant="[CURRENT DATE/TIME]">
      <samlp:SessionIndex>[SESSION IDENTIFIER]</samlp:SessionIndex>
    1. Good point. I add it.


  3. I think section "2.3.3 Single Logout" needs some (heart)... It doesn't state anything about how a CAS client might react (status codes, response body, ...) nor how the CAS server should handle things like status codes (200, 302, 500) or unreachable CAS clients (server down).

    1. As response, timeout, status, etc. are completely ignored by the server (fire and forget), I suppressed that information. I will add such info to the draft, soon. 

      1. Added 2.3.3.x subsections. Comments are welcome!


        1. > It is recommended to logout the user from the application identified by the TGT id sent in the SLO POST request.  

          That's not correct. It's the service ticket that is posted, not the ticket-granting ticket.

          1. fixed. BTW: You can comment directly in the draft, now.


      2. Thank you for the additions! Is there any recommendation regarding timeout? How long does the Jasig CAS server wait for a response before closing the connection?

        I'll try to implement full CAS 3.x support in CASino based on this draft.

  4. The default connection, read timeouts in JASIG CAS is 5000ms. That is configurable in applicationContext.xml (see httpClient bean).