Scott Battaglia wrote: > Nick, > > Ticket expiration is not only checked when its retrieved. You can check > ticket expiration at any time. One time is obviously when someone > retrieves the ticket to use it. The other scenario is when a > RegistryCleaner goes through and cleans up expired tickets. So if your > expiration policy says a ticket has to have been used within the last > last 20 minutes and it hadn't it will be cleaned up when either (a) > someone attempts to use it or (b) when the cleaner runs through the > registry. > > -Scott
Nick, The key here seems to be that you want inactivity on the client computer (e.g. a user walking away from their workstation) to trigger ticket expiration. At the same time, if a user was at their workstation (in Word or something else) you DON'T want to expire their ticket early. So what you seem to need is a way to monitor workstation activity and pass that on to the CAS server. There doesn't appear to be a real way to do that only on the server. In general, it seems like you could: 1. Trigger a message which gets sent to the CAS server when a workstation becomes inactive (e.g. when the screen saver fires, you also kill the SSO session) 2. Provide a "heartbeat" where as long as a user is active on their workstation, a session with a short inactivity timeout is renewed. If the heartbeat signal isn't recieved then CAS expires the TGT based on inactivity. 3. Have a very short activity timeout, combined with transparent re-authentication via SPNEGO or x.509 certificates or some other non-interactive login. That way, even if the TGT expires, users don't have to reenter passwords and have a seemless experience. Not sure the implications of this if you use lots of proxy tickets. Both of these cases seem like they would require custom software on the workstation (unless you have an existing Windows or security suite that provides appropriate hooks) Jason -- Jason Shao Application Developer, Architecture & Engineering Team Rutgers University - Enterprise Systems & Services v. 732-445-2869 | f. 732-445-5493 | [EMAIL PROTECTED] _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
