Hi,
Am 09.07.2010 18:39, schrieb Bryan Wooten:
Nathan,
Your assessment is 100% correct. We really do require single sign out.
We have to assume that all our applications will be accessed from public
terminals. We must do our best to protect our users from themselves.
There is no real way to train 30,000 students…
May I ask how you got single sign out to work in a load balanced
environment and which client you used? From what I know about single
sign out, making it work in a load balanced situation is a CAS server
side problem and not a CAS client issue.
The clients apps have to be HTTPS (or at least optional). The server
certificate of the applications has to be trusted by the cas server (jdk
cert store).
phpCAS for example also validates the ip of the logout request. As
default it only accepts the CAS Server itself but for clustered CAS
setups you can override the settings and allow multiple hosts. I'm not
sure how other clients handle this part.
Another obstacle are clustered client apps. You have to distribute your
cas sessions over all hosts so that the call from the CAS server can be
handled on any of the servers. Intelligent load balancers with sticky
sessions don't help much because for the logout request the server has a
different session id from the client and will probably hit another
cluster node.
Cheers,
Bryan Wooten
Cheers,
Joachim
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
