On Wed, Aug 3, 2011 at 12:37 PM, Marvin Addison <marvin.addi...@gmail.com> wrote: >> Making SLO on by default gives the impression that CAS is an >> application session manager > > A good SSO product is necessarily a session manager. When a user logs > out of an SSO product, he or she expects all applications used during > that session to end as well. This is session management by any > definition and it's perfectly reasonable. > >> I am pretty convince though that it does not make much sense promoting >> SLO as a feature. > > I'm shocked at your saying this. SLO is a distinguishing feature of CAS.
Not sure I agree that CAS is/should be an application session manager. The burden of application session management is on the applications by design. Pushing SLO does blur this line, and I think it is a mistake given the known issues with it. CAS would have to be a lot more complex and a ton more difficult to deploy if it truly was responsibility for application session management across the enterprise. > >> I think the expectation depends on how the user is presented with >> /cas/logout and how CAS has been rolled out. Logging out of my portal >> may kill the SSO Session (via /cas/logout), sure, but I not so sure >> I'd expect that action to also kill my webmail session > > I can appreciate this distinction. We have attempted to allow users > to control the proper scope of logout with the following best practice > (from https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1): > > The CAS Client for Java team has recommended guidelines for logout > pages for CAS Clients. We recommend that text similar to the following > appear when the application's session is ended. > > Recommended logout text > You have been logged out of APPLICATION NAME GOES HERE. > > To log out of all applications, click here. (provide link to CAS > server's logout) I sure would prefer that last line to say, "To end your SSO session, please click here". If you don't have CAS and SLO on every application in your enterprise you are asking for trouble, no? > >> Would love to hear more how you've rolled out CAS at VT. How do folks >> get to /cas/logout? In what context? > > We've encouraged services to adopt the practice above, but we have no > authority to enforce it. Big universities are like federations unto > themselves; all we can do is beg. Indeed, which is one reason why I tend to be more conservative about the practical effect of so called "SLO". Best, Bill > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
