I suspect that "Single Sign-Off" or if you prefer Single Log Off (SLO), or as I prefer the "clean up server side application session resources that are no longer needed" feature, doesn't really behave in a way that would meet the expectations of users. The mislabeling causes most non-technical folks to want to implement this feature, expecting that it would actually "log out" of all the applications that have been visited. In practice this is difficult (impossible?) to achieve on an enterprise scale.
* There doesn't seem to be a path for consistent and reasonable user experience. * How does the user know which services may have had there application session invalidated and which didn't participate fully in the SLO callback? * Even if the application session was invalidated at the server, there may still be confidential information left on the screen, window, tab, etc. * What is the user experience after the SLO, when the user decides to continue working. * Technically requires custom integration for each service. Do I have this about right? Do others have different experiences with this feature? Bill -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
