Here are some more thoughts on SLO from the Shib community. Most of the concerns/issues map pretty well to CAS if you focus on the back-channel logout.
https://fed-lab.org/best-practises/single-logout/ "The biggest threat about Single Logout is that it can lead to false sense of security by giving the user the sense that he/she can leave the browser unattended." "However, offering single logout without proper application support could result in users leaving their application sessions without them requiring re-authentication, and this would undermine systems’ security." In a tightly controlled environment, like the one Robert deployed to, it seems like major concerns about SLO can be addressed. Doubtful you'd have the same success in an enterprise or federated deployment. Best, Bill On Thu, Aug 4, 2011 at 9:42 AM, Marvin Addison <marvin.addi...@gmail.com> wrote: >> So, my point regarding security footing is that on an enterprise scale >> there are both technical barriers and UX barriers such that a "SLO" >> deployment is likely to mislead the user and thus not actually improve >> security minded behavior. > > There's simply no consensus on this point. While there are both > technical and UX issues at present that make SLO imperfect, there is > absolutely a path forward to improvements that make it nearly so. As > I said previously, it's simply a matter of time and engineering > effort. Even at present there is rich value in the feature, which is > substantiated by the folks who've mentioned on this thread its use and > vitality at their institutions. > > Without consensus the feature should remain unchanged other than > evolutionary improvements. Adding a service-manager configuration for > opt out is perfectly along those lines, and a feature I'm enthusiastic > about. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: wgt...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
