> From: Richard Frovarp > Sent: Monday, March 17, 2014 2:19 PM > > But it isn't stop using an application (unless a timeout there forces a > logout of CAS). It's actually logging out of the application, and the > user desiring to remove their access to the system. What good is logging > out of an application if the only step required to get back in is > clicking the login button?
Consider two scenarios: 1) You have a single sign-on session, access blackboard, and then log out of blackboard, but retain your single sign-on session. You then click back to blackboard, and are transparently logged back in. 2) You have a single sign-on session, but gained from accessing some other application, you have had absolutely no interaction with blackboard at all. You click on a blackboard link, and are transparently logged in. Is #1 surprising, but #2 is not? They are both inherent artifacts of having a valid single sign-on session. > A surprising SSO is you logging out of a website, me sitting down, > clicking login, and then being you. That isn't the point of SSO. There are really two ways to look at "SSO". The first is that you simply use the same username/password pair for every single service, even if you have to authenticate separately to them. The second is that you authenticate once, and then can access every service without authenticating again. Which one are you trying to implement? Because if you are trying to implement the latter, then having an application "logout" destroy your single sign-on session is what would be surprising. Basically, in the context of a global single sign-on session providing access to all applications, the concept of "logging out" of a particular application is no longer valid. Either you are "logged in" to everything, or you are "logged out" of everything. And it seems the proper solution isn't to have any single application destroy the entire session, but rather stop having "application" logouts, and instead have each individual application logout page go to a central CAS page where a user can select to destroy their session or not. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
