Hi Jérôme How do you "notify" the other applications that the user got logged out from the management application?
Thanks Michael Am 13.01.14 16:09, schrieb Jérôme LELEU: > Hi, > > Our way : everytime a user change something in his management application, > we display a message like "Your change will be taken into account only > after logout. Please click this link to logout". And the user is logged out > from all applications including the management one. > Best regards, > Jérôme > > > > 2014/1/13 Michael Wechner <[email protected]> > >> Hi Jérôme >> >> Thanks very much for your feedback. >> >> I guess we will logout the user from CAS, but keep the user signed in at >> the service where he/she changed the ID. >> But I am not sure yet whether this will have some unexpected >> side-effects and need to sleep over it :-) >> >> Michael >> >> Am 13.01.14 14:47, schrieb Jérôme LELEU: >>> Hi, >>> >>> We decided to force users to logout as the "safest and simplest" solution >>> for us. >>> Best regards, >>> Jérôme >>> >>> >>> >>> 2014/1/13 Michael Wechner <[email protected]> >>> >>>> Hi >>>> >>>> We have two services which a user has access to, whereas as login ID we >>>> use the email address of the user. >>>> Since the email address of a user can change, the user can change the >>>> email address inside the service as follows: >>>> >>>> - First the user signs in to the first service (service1) with >>>> '[email protected]' and changes his/her email inside this service to >>>> '[email protected]', but which means the email address will also be changed >> on >>>> the backend/identity-management, BUT (currently) not inside CAS itself >>>> >>>> - The user decides to go to the other service (service2), but because >>>> the user already has a valid session with CAS, he/she does not have to >>>> provide the (new) credentials again, but the login request >>>> >>>> >>>> >> https://my.cas/cas-server-webapp-3.5.2/login?service=https://service2/index.html >>>> will return >>>> >>>> <?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse >>>> xmlns:cas="http://www.yale.edu/tp/cas";> >>>> <cas:authenticationSuccess> >>>> <cas:user>[email protected]</cas:user> >>>> >>>> which means in the case of service2 the user is signed in with the old >>>> username, which does not work anymore with the backend. >>>> >>>> My question is whether there are any recommended ways to handle such a >>>> situation? At the moment I can see the following possibilities: >>>> >>>> - Force logout after the user has changed the email address, and hence >>>> user has to sign-in again with new email address >>>> - Update the login ID inside CAS somehow (but I guess that's not >>>> possible for security reasons) >>>> - Provide some mapping from old to new email address, such that during >>>> the same session also the old email is still valid. >>>> >>>> I have been searching quite a bit for similar topics, but have not found >>>> anything really, hence any hints/feedback is much appreciated. >>>> >>>> Thanks >>>> >>>> Michael >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
