These questions are asked based on the spring-security enabled client in mind.
How does CAS SLO work internally especially in invalidating the sessions of the registered services?
For CAS to understand the list of registered service, do we need to have the cas service management webapp in place?
To implement CAS SLO, is it mandatory to implement Ehcache registry or can it be done without that?
How the backend channel logout for invalidating session work?
When the global session in CAS is invalidated, I assume that the tickets related to it in CAS server are removed or deleted. How does the communication happen back to the registered services? What is the best way to debug this if the single logout is not working on the service side?
Wherever applicable, an example or sample for explanation is much appreciated.
How does CAS SLO work internally especially in invalidating the sessions of the registered services?
A callback notification is sent to all CAS-protected applications that have established a record with CAS. The application should capture that notification and destroy its session.
For CAS to understand the list of registered service, do we need to have the cas service management webapp in place?
No, that's just a UI.
To implement CAS SLO, is it mandatory to implement Ehcache registry or can it be done without that?
Can be done without it. The two have nothing to do with each other.
How the backend channel logout for invalidating session work?
See above.
When the global session in CAS is invalidated, I assume that the tickets related to it in CAS server are removed or deleted. How does the communication happen back to the registered services? What is the best way to debug this if the single logout is not working on the service side?
You want to turn on log levels to DEBUG and watch the interaction. If the application is configured in CAS for back-channel logouts, that notification is sent directly from the server. If it's front-channel, the notification is submitted from the client browser.