Don't put the Single Sign-Out (hitting the sso/logout) under an innocent
looking "logout" button. People don't understand SSO and have no idea
about the consequences. You should follow the recommended logout
procedure from the wiki [1]
In my opionion the cas server should implement this warning screen in
the future for everyone who is hitting /logout and request a user
confirmation. The current setup is not very user friendly since it's
very hard to get everone to using the best practive in big installations
with tons of apps.
Cheers,
Joachim
[1]
https://wiki.jasig.org/display/CASC/CAS+Client+for+Java+3.1#CASClientforJava3.1-OrderofRequiredFilters
Am 19.08.2010 19:44, schrieb Patrick Berry:
That is exactly what happens. A typical scenario went like this:
1. Login in to JIRA via CAS.
2. Login to portal (CAS SSO already in action)
3. Logout of portal which redirects to CAS logout
4. Hit JIRA again and be prompted for login (via CAS)
Also, when our 45 minute CAS session timeout was hit, CAS would fire off
the sign-out requests and JIRA and Confluence dutifully responded.
Yesterday we commented out the sign-out portions of the CAS client
config and JIRA/Confluence users are much happier with us now.
Cheers,
Pat
On Thu, Aug 19, 2010 at 10:38 AM, Hongbo HE <[email protected]
<mailto:[email protected]>> wrote:
Pat,
We have a similar situation as you have. Our CAS server version is
3.4.2 and
our JIRA and Confluence user have been complaining about got kicked
out prematurely.
I suspect it's the single sign-out.
My question is that when a user's CAS session timed out, would CAS
triggers a single sign out
action to sign the user out of all the applications that participate
in single sign out?
Regards,
Hongbo
On 8/19/2010 1:19 AM, Patrick Berry wrote:
On Wed, Aug 18, 2010 at 11:26 AM, Marvin Addison
<[email protected] <mailto:[email protected]>> wrote:
> Would one want to remove the listener as well?
Yes, now that you mention it.
Confirmed.
The long version: Our JIRA and Confluence users have been
complainging about really short timeouts (oddly enough 45 minutes,
which matches our CAS session length). It turns out that when I
upgraded to 3.4 we got single sign-out for free and it's taken me
this long to put 2 and 2 together to get 5. Don't I feel silly.
Pat
--
You are currently subscribed [email protected]
<mailto:[email protected]> as:[email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed [email protected]
<mailto:[email protected]> as:[email protected]
<mailto:[email protected]>
To unsubscribe, change settings or access archives,
seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
--
"Do you speak Bocce?"
"Of course I can, sir. It's like a second language to me..."
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
