"I certainly hope that Bb is not sending a logout request to CAS when 'its' session expires (not user initiated). That would single logout the user out of all services (that participate in SLO) regardless of CAS settings ==> unhappy users & confused administrators."
This topic begs the question: What does logout mean in an SSO world? Logout of a single app or logout of SSO (all apps in the SSO session). In an SSO environment if you logout of a single app but not the SSO session, then if you go back to the app you get straight in because the SSO session is still valid. Now individual apps a can mitigate this by setting "renew = true", but that somewhat defeats the purpose of SSO does it not? We have 500 servers in our CAS service registry and 90 using Shib (using CAS for authentication). CAS includes on prem apps and cloud apps (off prem) As the CAS / Shib admin I cannot control how all the servers will react. They may or not listen/respond to logout messages, heck they even maintain their own session cookies for SLO/timeout. It is a mess and has been since as long as my first IAM conference. What does SLO/Logout even mean? Is it even possible to enforce any policy? Let's not even address aggressive caching by browsers across tabs / windows / instances. I gave up trying years ago, it is what it is. Logout to me means the following steps: 1. Click logout. 2. Clear cache/cookies 3. Power off computer 4. Shoot computer with 12 gauge shotgun 5. Throw computer into nearest lake/ocean/river. Without all those steps I don't believe you are "logged out". On Tue, Jan 30, 2018 at 4:27 PM, Richard Frovarp <richard.frov...@ndsu.edu> wrote: > I think that they are. From my recollection that was what came up on the > Bb admin list a couple of years ago. You have to specify a logout URL, and > it sends the user to it after it kills its own session. People are > providing the IdP logout URL, so that kicks it off. My suggestion would be > to provide a different logout URL other than the IdP. > > > On 01/30/2018 11:38 AM, Ray Bon wrote: > > I certainly hope that Bb is not sending a logout request to CAS when 'its' > session expires (not user initiated). That would single logout the user out > of all services (that participate in SLO) regardless of CAS settings ==> > unhappy users & confused administrators. > > Ray > > On Tue, 2018-01-30 at 09:42 -0600, Richard Frovarp wrote: > > Do you have a logout URL configured? Best I know is that when a session > expires in Bb, it kills the Bb session, then sends the browser to the IdP > logout URL, which would kill your TGT. > > On 01/30/2018 07:08 AM, Michael O Holstein wrote: > > We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random > users are telling us it times out of them. While I suspect this is an issue > of opening the app, letting it sit for 2 hours, and then noticing their > session went away (which should re-auth as the TGT is still valid on our > end). > > > Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are > as-delivered default. > > > Thanks, > > > Michael Holstein CISSP > > Mgr. Network & Data Security > > Cleveland State University > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD > 852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com?utm_medium=email&utm_source=footer> > . > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems2507218831 <(250)%20721-8831> | CLE > 019 | r...@uvic.ca > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0- > 9cf13f95132d%40ndsu.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0-9cf13f95132d%40ndsu.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG9x2GXez9sVQZq0p24nWz1CWPJNE1ibkSYyrOrX%2Bqv6%2BcgWrg%40mail.gmail.com.
