Am 14.01.14 12:27, schrieb Misagh Moayyed: > Chiming in; that conceptually another alternative would be to resolve the > principal id by an attribute that user does not have the ability to change. > You can still authenticate by email, but the principal is identified by say a > 10-digit unique numeric value. This is simpler to set up, but impacts > integrated apps so may not be achievable depending on who/what is using your > CAS and how flexible they might be to this change.
I am not sure I understand, can you explain what you are suggesting with an example or some more details? Thanks Michael > > > > > Misagh > > > ----- Original Message ----- > > From: "Michael Wechner" <[email protected]> > To: [email protected] > Sent: Tuesday, January 14, 2014 3:47:28 AM > Subject: Re: [cas-user] Changing login ID via one service and sign in during > the same session via another service > > Hi > > Thanks very much for clarifying. I guess you are refering to > > https://wiki.jasig.org/display/casum/single+sign+out#SingleSignOut-Howitworks: > > > which is sending a callback to all registered services/applications once > CAS receives a request for > > /cas/logout > > as a redirect by the management application of the browser of the user, > right? > > IIUC there is no other way to logout a user than redirecting the user's > browser to /cas/logout, right? > > I mean for example that the management application uses the original CAS > service ticket associated with the user > to make a logout request at the CAS webapp? > > Thanks > > Michael > > > > Am 14.01.14 10:16, schrieb Jérôme LELEU: >> Hi, >> >> Sorry if I was unclear, but the logout I'm talking about is the CAS logout, >> which notifies all the applications that the session for the user must be >> terminated. So the user is logged out from all applications (including the >> management one). >> Best regards, >> Jérôme >> >> >> >> >> 2014/1/13 Michael Wechner <[email protected]> >> >>> Hi Jérôme >>> >>> How do you "notify" the other applications that the user got logged out >>> from the management application? >>> >>> Thanks >>> >>> Michael >>> >>> Am 13.01.14 16:09, schrieb Jérôme LELEU: >>>> Hi, >>>> >>>> Our way : everytime a user change something in his management >>> application, >>>> we display a message like "Your change will be taken into account only >>>> after logout. Please click this link to logout". And the user is logged >>> out >>>> from all applications including the management one. >>>> Best regards, >>>> Jérôme >>>> >>>> >>>> >>>> 2014/1/13 Michael Wechner <[email protected]> >>>> >>>>> Hi Jérôme >>>>> >>>>> Thanks very much for your feedback. >>>>> >>>>> I guess we will logout the user from CAS, but keep the user signed in at >>>>> the service where he/she changed the ID. >>>>> But I am not sure yet whether this will have some unexpected >>>>> side-effects and need to sleep over it :-) >>>>> >>>>> Michael >>>>> >>>>> Am 13.01.14 14:47, schrieb Jérôme LELEU: >>>>>> Hi, >>>>>> >>>>>> We decided to force users to logout as the "safest and simplest" >>> solution >>>>>> for us. >>>>>> Best regards, >>>>>> Jérôme >>>>>> >>>>>> >>>>>> >>>>>> 2014/1/13 Michael Wechner <[email protected]> >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> We have two services which a user has access to, whereas as login ID >>> we >>>>>>> use the email address of the user. >>>>>>> Since the email address of a user can change, the user can change the >>>>>>> email address inside the service as follows: >>>>>>> >>>>>>> - First the user signs in to the first service (service1) with >>>>>>> '[email protected]' and changes his/her email inside this service to >>>>>>> '[email protected]', but which means the email address will also be changed >>>>> on >>>>>>> the backend/identity-management, BUT (currently) not inside CAS itself >>>>>>> >>>>>>> - The user decides to go to the other service (service2), but because >>>>>>> the user already has a valid session with CAS, he/she does not have to >>>>>>> provide the (new) credentials again, but the login request >>>>>>> >>>>>>> >>>>>>> >>> https://my.cas/cas-server-webapp-3.5.2/login?service=https://service2/index.html >>> >>>>>>> will return >>>>>>> >>>>>>> <?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse >>>>>>> xmlns:cas="http://www.yale.edu/tp/cas";> >>>>>>> <cas:authenticationSuccess> >>>>>>> <cas:user>[email protected]</cas:user> >>>>>>> >>>>>>> which means in the case of service2 the user is signed in with the old >>>>>>> username, which does not work anymore with the backend. >>>>>>> >>>>>>> My question is whether there are any recommended ways to handle such a >>>>>>> situation? At the moment I can see the following possibilities: >>>>>>> >>>>>>> - Force logout after the user has changed the email address, and hence >>>>>>> user has to sign-in again with new email address >>>>>>> - Update the login ID inside CAS somehow (but I guess that's not >>>>>>> possible for security reasons) >>>>>>> - Provide some mapping from old to new email address, such that during >>>>>>> the same session also the old email is still valid. >>>>>>> >>>>>>> I have been searching quite a bit for similar topics, but have not >>> found >>>>>>> anything really, hence any hints/feedback is much appreciated. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Michael >>>>>>> >>>>>>> -- >>>>>>> You are currently subscribed to [email protected] as: >>>>>>> [email protected] >>>>>>> To unsubscribe, change settings or access archives, see >>>>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
