> From: Curtis Long [mailto:[email protected]] > Sent: Monday, March 17, 2014 9:49 AM > > We considered not having Bb sign users out of CAS, but I don't think that it > is > intuitive if you have a large loosely connected applications like Bb. For > example, a student logs out of Bb, and then types the URL to go back to the > app directly (say a friend wants to login). Since the CAS session would > still be > there, they would be automatically logged in as though they had never > clicked 'Log Out' with the same user? May make sense if you have tighter > integration going on, or good communication about closing browsers and > cookie security, but something to consider.
Don't almost all web apps say something along the lines of "you have been logged out of your session, please close your browser to complete the log out and maintain security"? Ideally each application session logout page could be updated with a note describing that a single sign-on session is still in force and provide a separate link to log out of CAS if so desired. I think it pretty much breaks SSO if any application you stop using destroys your central SSO session. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
