thanks again for clarifying once more Am 14.01.14 15:30, schrieb Jérôme LELEU: > 2014/1/14 Michael Wechner <[email protected]> > >> Hi >> >> Thanks very much for clarifying. I guess you are refering to >> >> >> https://wiki.jasig.org/display/casum/single+sign+out#SingleSignOut-Howitworks >> : >> >> which is sending a callback to all registered services/applications once >> CAS receives a request for >> >> /cas/logout >> > Indeed > > >> as a redirect by the management application of the browser of the user, >> right? >> >> IIUC there is no other way to logout a user than redirecting the user's >> browser to /cas/logout, right? >> > Yes, you could logout locally from your management webapp but you would be > still authenticated in SSO, so as soon as you try to access a protected > resource in the management webapp, you would be automatically > re-authenticated by CAS. > The /cas/logout url ensures that the SSO session is destroyed and all > applications are notified to destroy their own sessions. > > >> I mean for example that the management application uses the original CAS >> service ticket associated with the user >> to make a logout request at the CAS webapp? >> >> Thanks >> >> Michael >> >> >> >> Am 14.01.14 10:16, schrieb Jérôme LELEU: >>> Hi, >>> >>> Sorry if I was unclear, but the logout I'm talking about is the CAS >> logout, >>> which notifies all the applications that the session for the user must be >>> terminated. So the user is logged out from all applications (including >> the >>> management one). >>> Best regards, >>> Jérôme >>> >>> >>> >>> >>> 2014/1/13 Michael Wechner <[email protected]> >>> >>>> Hi Jérôme >>>> >>>> How do you "notify" the other applications that the user got logged out >>>> from the management application? >>>> >>>> Thanks >>>> >>>> Michael >>>> >>>> Am 13.01.14 16:09, schrieb Jérôme LELEU: >>>>> Hi, >>>>> >>>>> Our way : everytime a user change something in his management >>>> application, >>>>> we display a message like "Your change will be taken into account only >>>>> after logout. Please click this link to logout". And the user is logged >>>> out >>>>> from all applications including the management one. >>>>> Best regards, >>>>> Jérôme >>>>> >>>>> >>>>> >>>>> 2014/1/13 Michael Wechner <[email protected]> >>>>> >>>>>> Hi Jérôme >>>>>> >>>>>> Thanks very much for your feedback. >>>>>> >>>>>> I guess we will logout the user from CAS, but keep the user signed in >> at >>>>>> the service where he/she changed the ID. >>>>>> But I am not sure yet whether this will have some unexpected >>>>>> side-effects and need to sleep over it :-) >>>>>> >>>>>> Michael >>>>>> >>>>>> Am 13.01.14 14:47, schrieb Jérôme LELEU: >>>>>>> Hi, >>>>>>> >>>>>>> We decided to force users to logout as the "safest and simplest" >>>> solution >>>>>>> for us. >>>>>>> Best regards, >>>>>>> Jérôme >>>>>>> >>>>>>> >>>>>>> >>>>>>> 2014/1/13 Michael Wechner <[email protected]> >>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> We have two services which a user has access to, whereas as login ID >>>> we >>>>>>>> use the email address of the user. >>>>>>>> Since the email address of a user can change, the user can change >> the >>>>>>>> email address inside the service as follows: >>>>>>>> >>>>>>>> - First the user signs in to the first service (service1) with >>>>>>>> '[email protected]' and changes his/her email inside this service to >>>>>>>> '[email protected]', but which means the email address will also be >> changed >>>>>> on >>>>>>>> the backend/identity-management, BUT (currently) not inside CAS >> itself >>>>>>>> - The user decides to go to the other service (service2), but >> because >>>>>>>> the user already has a valid session with CAS, he/she does not have >> to >>>>>>>> provide the (new) credentials again, but the login request >>>>>>>> >>>>>>>> >>>>>>>> >> https://my.cas/cas-server-webapp-3.5.2/login?service=https://service2/index.html >>>>>>>> will return >>>>>>>> >>>>>>>> <?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse >>>>>>>> xmlns:cas="http://www.yale.edu/tp/cas";> >>>>>>>> <cas:authenticationSuccess> >>>>>>>> <cas:user>[email protected]</cas:user> >>>>>>>> >>>>>>>> which means in the case of service2 the user is signed in with the >> old >>>>>>>> username, which does not work anymore with the backend. >>>>>>>> >>>>>>>> My question is whether there are any recommended ways to handle >> such a >>>>>>>> situation? At the moment I can see the following possibilities: >>>>>>>> >>>>>>>> - Force logout after the user has changed the email address, and >> hence >>>>>>>> user has to sign-in again with new email address >>>>>>>> - Update the login ID inside CAS somehow (but I guess that's not >>>>>>>> possible for security reasons) >>>>>>>> - Provide some mapping from old to new email address, such that >> during >>>>>>>> the same session also the old email is still valid. >>>>>>>> >>>>>>>> I have been searching quite a bit for similar topics, but have not >>>> found >>>>>>>> anything really, hence any hints/feedback is much appreciated. >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Michael >>>>>>>> >>>>>>>> -- >>>>>>>> You are currently subscribed to [email protected] as: >>>>>>>> [email protected] >>>>>>>> To unsubscribe, change settings or access archives, see >>>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>>> >>>>>> -- >>>>>> You are currently subscribed to [email protected] as: >>>>>> [email protected] >>>>>> To unsubscribe, change settings or access archives, see >>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >>
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
