I believe we should not argue 'should logging out of one particular application logged you out of everything' I because it depends on the usage, this should be an event driven thing.
What about the following, This is just an Idea only I dont know at this stage practicallity of doing this * logging out of one particular application triggers and event to other applications that user has allready logged in via CAS/SSO, that application A logged out, so that we are giving a option if want based on that trigger receiving application can logout or ignore the event. e.g. uPortal got several other applications (WebCT, library etc) running with SSO. That is uPortal channel/portlet got a link to WebCT and when click that link it opens the WebCT in that browser instance, no need to enter credentials as it is SSO enabled. Other applications like library also running in the same fashion. Here uPortal function as the single entry point, If the user clicks the uPortal logout and if we can trigger an event to all the other applications (e.g WebCT) the application can decide that if the source of the event is from uPortal they should logout. Similary if user Presses the WebCT logout, Eventhough that event get broadcasted to library application, the library application or even uPortal should not logout. Difficulties * If the third party application is NONE JAVA but we enable sso via e.g mod_cas or mod_perl, How to handle the logout events etc. * Handling the logout button functionality (programming part) conditionaly when direct/SSO requests comes to the NONE application and thereafter handle the events if needed Let me know your thoughts on this. Thanks --- Scott Battaglia <[EMAIL PROTECTED]> wrote: > CAS 3 does not currently support single sign out. > CAS 3.1 will support > single sign out. Though, I'm not sure if we would > support the scenario > where logging out of one particular application > logged you out of everything > (or even notified other applications). > > Our initial scenario would probably be if your CAS > session timed out or you > explicitly logged out of CAS it would notify all > applications from that CAS > session. > > But again, we haven't finalized everything yet so we > are interested in > feedback. > > -Scott > > On 3/6/07, Stephen Lynn <[EMAIL PROTECTED]> > wrote: > > > > So if I'm understanding you correctly, CAS does > not support the notion of > > a cross-site logout? Meaning that if I have used > CAS to login to sites A > > and B and I hit a logout button on site A, site B > will have no way of > > knowing (via some CAS mechanism) that I logged > out. > > > > > > > > Does that make sense? We're not only looking for > a single sign on but > > also a single sign out as well. > > > > > > > > Stephen > > > > > > ------------------------------ > > > > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On > > Behalf Of *Scott Battaglia > > *Sent:* Thursday, March 01, 2007 4:15 PM > > *To:* Yale CAS mailing list > > *Subject:* Re: sso authentication process > > > > > > > > Stephen, > > > > A site does not need to use gateway=true. You use > gateway=true if you're > > merely interested in knowing if a SSO on session > exists. If you want to > > start a session if one does not exist, you would > leave off the gateway=true. > > > > > > CAS currently does not maintain state of what > applications have used CAS > > to log in (they are all responsible for their own > sessions). Each > > application's session is independent of all other > application's sessions. > > Thus, no one needs to check in with CAS. > > > > -Scott > > > > On 2/28/07, *Stephen Lynn* <[EMAIL PROTECTED]> > wrote: > > > > I'm fairly new to CAS so this may be a dumb > question but it's a question > > I'm having anyway. We are working on setting > things up to enable SSO for > > our University's websites. I'm curious what the > recommended approach to > > this is. > > > > > > > > As I understand it, a site that wants to use SSO > needs to redirect the > > browser to CAS passing it the gateway=true > parameter so CAS can determine if > > the browser has a current session and then return > a session ticket to the > > requesting site if the person is logged in. Using > this model, it appears > > that a site will need to redirect every page > request to CAS so the site will > > be aware of any logins/logouts on other sites > using CAS and act > > appropriately. That seems like a lot of overhead > and could be very > > problematic for things like form submissions. > > > > > > > > Is this the recommended approach for SSO and > keeping individual site > > sessions in sync with the browser's CAS session? > Am I missing something? > > > > Stephen Lynn > > > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > > -- > -Scott Battaglia > > LinkedIn: http://www.linkedin.com/in/scottbattaglia > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
