Using 4.0.0 I'm configuring single log out on some services and I have encountered a situation I would appreciate some clarity on. For this particular use case, we want the logout callback to be called if the user visits /cas/logout directly, but not when the TGT expires and is cleared out by the registry cleaner (accomplished thanks to logUserOutOfServices). Some users may spend a long time working in a single application. However, after doing some testing, I came across a third situation I hadn't considered.
The user signs into ServiceA and continues actively using it, keeping the application session alive past the point where the TGT expires. The user then attempts to sign into ServiceB. At this point, it seems that login-webflow checks the TGT for validity, and if it is invalid calls terminateSessionAction.terminate, which fires the logout callbacks and logs the user out of ServiceA. Since this seems to be the same function called during logout-webflow, does that mean that this scenario must be considered to be the same as if the user explicitly visited /cas/logout, triggering the same logout callbacks? Since some (many) of our users have no concept of the distinction between the application session and the PASS session, the logout could be unexpected and the aborting of their active work could be frustrating. Am I missing something relevant about how people manage SLO's and users that may spend a lot of time in a single application at a time? Thank you for any information. -bob -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
