Hi Ted. This might be able to help you: https://github.com/Unicon/cas-addons/wiki/Configuring%20services%20initiating%20SSO%20sessions
Just one note about this implementation is that the CAS SLO must be turned off (which as I see from your description is not the case for you) - I don’t remember off the top of my head why. Anyway, see if this is useful to you and perhaps we might think about improving this facility to work well with SLO turned on, etc. Cheers, Dmitriy. On Jan 30, 2014, at 8:59 AM, Ted Fisher <[email protected]> wrote: > I have found that ssoEnabled set to false does not have quite the effect we > were thinking it did. When I set a service to not allow SSO participation > it does force the user to enter user name and password each time they try to > access the service (ie. Get a service ticket), which is fine. The problem is > that I thought that also caused it to not generate a TGT so that other > services could get STs based on a TGT obtained already. > We have an application (at least one) that does not have any session > management or logout. Our policy for SLO is that when any application > participating in SSO logs out then all SSO application sessions are logged > out. This is to prevent a user from walking away from a PC in a lab leaving > any SSO sessions active that someone else could hijack. So, for this > application that has no means for the user to log out (depends on user > closing browser which doesn't always happen), we don't want authentication > for this one app to enable SSO for any other applications. That is, when > they authenticate via CAS for this app we don't want a TGT generated (or we > want the TGT destroyed right after the ST is created/validated). > > Is this possible? > > Can we cause authentication for a single service to apply only to that > service? > > Thanks. > > Ted F. Fisher > Information Technology Services > Bowling Green State University > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
