On Thu, Aug 19, 2010 at 12:10 PM, Marvin Addison <[email protected]>wrote:
> > People don't understand SSO and have no idea about > > the consequences. You should follow the recommended logout procedure from > > the wiki [1] > > How true. Even folks who are very knowledgeable about SSO and CAS > have a hard time deciding what _should_ happen when they click the > logout button on a CAS enabled application. Some folks think "I just > want to end _this_ application." Others argue that if you end only a > single application, you're only a back button away from re-entering > assuming your SSO session is still active. I think the best practice > tries to strike a balance with a fairly clear explanation of what has > happened and options. I'm open to the idea we could do better though. > > M > > We're perfectly happy opting out individual clients. I don't think that's a big deal. I suppose you could change the default to have single sign-out be off, but I'm not sure this is just a server configuration issue. I goes more to what individual deployers want/need. Nothing you can do in the default config is going to make everybody happy and you can't make everybody read the docs (or the code in the case of "self documenting" situations). Like it or not, a lot of deployers are just following walk-throughs. I suppose a note could be placed on each client wiki article saying that "as of CAS x.x.x single sign-out is on by default and any app that uses this client will likely be signed out in the event of a CAS session being destroyed", but I doubt it would help much. Pat -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
