Hi,
most of your concerns are already adressed in the wiki or there are
existing solutions.
I was wondering about some of the visibility and security issues of a
seamless CAS login.
When a user logs into CAS they benefit from SSO into other apps but do they
know they are still logged into CAS when they logout of that app?
See below. There is a recommended logout procedure.
I know that the recommendation is to always close your browser (esp at kiosk
machines..) but I was wondering if anything could be done to make CAS more
top of mind and if anyone does this?
1 I was thinking about browser extensions tracking your CAS session and
indicating you are logged in and found this
https://wiki.jasig.org/display/[email protected]/CAS+Aware+Firefox+Toolbar+Extension+Experiment
2 Or that users are redirected to a page on there way "You are being
redirected to an application protected by 'CAS'. Please close you browser
before you leave this machine...."
This is the checkbox "Warn me before logging me into other sites." on
the login page.
3 Redirecting users to a page if they log out of the app with a CAS server
logout link on the page...
There is recommended logout procedure for cas. It buried in the wiki :(
https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters
This also includes the Single Sign-Out that allows the user to terminate
all connected session.
https://wiki.jasig.org/display/CASUM/Single+Sign+Out
This sound easy but requires a lot of work during intergration of apps.
All apps have accept a call from the sso server and validate it. This is
pretty tricky with ssl and session handling in other apps. But it's
totally worth the effort.
4 Something more whizzy and complicated.
I was wondering if anyone has tried any of these options beyond the "close
your browser" advice?
I have been writing a Single Sign-Out/On best practice documentation for
all my customers on the campus. Right now its in german but when it's
ready i'm will probably add it to the wiki in english. We a trying to
implement a safe and transparent setup for all our students and
employees. This means that the whole process local vs global logout is
clearly documented in all apps, warnings should be issued before any
global logout etc. In my opinion this is really important from a
security, privacy and usability standpoint.
The acceptance is also much better if the users "understands" the basic
concept and mechanics behind CAS. We have gone from 30 to 300 services
in less than a year after started focusing on these issues.
I still habe some ideas in this areas to improve in these areas.
Something like a self information page on the cas server: These are the
attributes that the cas server shares with applications, Applications
shared with Application X ?
A Single Sign-Out page before real global logout implementing the
recommended logout procedure. This would ease the logout integration for
apps.
Cheers,
Joachim
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
