--On 06 March 2007 15:43 -0500 Scott Battaglia <[EMAIL PROTECTED]> wrote:
> CAS 3 does not currently support single sign out. CAS 3.1 will support > single sign out. Though, I'm not sure if we would support the scenario where > logging out of one particular application logged you out of everything (or > even notified other applications). If an application participates in CAS single sign on (ie. doesn't pass the renew=true parameter) then an application local logout without an associated CAS logout can be quite confusing to users. Clicking login on the application simply does single sign on and logs you back in without asking for your password. "What was the point of logging out?" ask our users. Developers know that resources have been released, work committed etc but users don't see any of that. We've not been very effective in educating our users about the distinct nature of CAS sessions and application sessions. I'm sure some users know they are distinct, others think they are the same and others think they are both distinct and the same simultaneously. The situation is not helped by some client applications redirecting to the CAS logout page and others always using renew=true so the user can get quite mis-leading messages. I'm groping towards what I want out of Single Sign Out and I suppose I hope to be able to use three distinct types of logout: i) application local logout: equivalent to session.invalidate() ii) CAS logout: TGT invalidation - exactly as now iii) Single Sign Out: all client applications contacted with logout instruction Ordinarily, I would expect an application's logout action to combine i) and ii), invalidating the local session and then redirecting to CAS logout. Any definite, user-driven decision to logout of any application seems to me a good time to invalidate the TGT. This would mean that users logging out of an application wouldn't be able to get back in without offering their password. I would hope that the CAS logout page could list the client applications that CAS believes are still logged in and offer a 'Single Sign Out' link. I would further hope that the list of applications wasn't tied to the TGT just expired, but that it could persist and grow across the lifetimes of several TGTs. I'm guessing this would not be very straightforward to implement, but I don't know the CAS 3 code-base at all. I'm very hopeful that CAS 3.1 will offer me at least a good starting point for implementing single sign out and reducing our users' confusion. Dave ---------------------- David Spencer Information Systems and Computing University of Bristol _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
