Don't put the Single Sign-Out (hitting the sso/logout) under an innocent looking "logout" button. People don't understand SSO and have no idea about the consequences. You should follow the recommended logout procedure from the wiki [1]

In my opionion the cas server should implement this warning screen in the future for everyone who is hitting /logout and request a user confirmation. The current setup is not very user friendly since it's very hard to get everone to using the best practive in big installations with tons of apps.

Cheers,

Joachim

[1] https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters

Am 19.08.2010 19:44, schrieb Patrick Berry:
That is exactly what happens.  A typical scenario went like this:

1. Login in to JIRA via CAS.
2. Login to portal (CAS SSO already in action)
3. Logout of portal which redirects to CAS logout
4. Hit JIRA again and be prompted for login (via CAS)

Also, when our 45 minute CAS session timeout was hit, CAS would fire off
the sign-out requests and JIRA and Confluence dutifully responded.

Yesterday we commented out the sign-out portions of the CAS client
config and JIRA/Confluence users are much happier with us now.

Cheers,
Pat

On Thu, Aug 19, 2010 at 10:38 AM, Hongbo HE <[email protected]
<mailto:[email protected]>> wrote:

    Pat,

    We have a similar situation as you have.  Our CAS server version is
    3.4.2 and
    our JIRA and Confluence user have been complaining about got kicked
    out prematurely.
    I suspect it's the single sign-out.

    My question is that when a user's CAS session timed out, would CAS
    triggers a single sign out
    action to sign the user out of all the applications that participate
    in single sign out?

    Regards,

    Hongbo


    On 8/19/2010 1:19 AM, Patrick Berry wrote:


    On Wed, Aug 18, 2010 at 11:26 AM, Marvin Addison
    <[email protected] <mailto:[email protected]>> wrote:

        > Would one want to remove the listener as well?

        Yes, now that you mention it.


    Confirmed.

    The long version: Our JIRA and Confluence users have been
    complainging about really short timeouts (oddly enough 45 minutes,
    which matches our CAS session length).  It turns out that when I
    upgraded to 3.4 we got single sign-out for free and it's taken me
    this long to put 2 and 2 together to get 5.  Don't I feel silly.

    Pat
    --
    You are currently subscribed [email protected]  
<mailto:[email protected]>  as:[email protected]  
<mailto:[email protected]>
    To unsubscribe, change settings or access archives, see
    http://www.ja-sig.org/wiki/display/JSG/cas-user

    --
    You are currently subscribed [email protected]  
<mailto:[email protected]>  as:[email protected]  
<mailto:[email protected]>
    To unsubscribe, change settings or access archives, 
seehttp://www.ja-sig.org/wiki/display/JSG/cas-user




--
"Do you speak Bocce?"
"Of course I can, sir. It's like a second language to me..."

--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user



--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to