Scott Battaglia wrote:
CAS 3 does not currently support single sign out. CAS 3.1 will
support single sign out. Though, I'm not sure if we would support the
scenario where logging out of one particular application logged you
out of everything (or even notified other applications).
Our initial scenario would probably be if your CAS session timed out
or you explicitly logged out of CAS it would notify all applications
from that CAS session.
But again, we haven't finalized everything yet so we are interested in
feedback.
I am curious about you're think about how this would be implemented.
The suggestion that CAS could send a message to a message queue would
seem to work, but every application that wanted to participate in single
signout would have to implement a message queue listener. I've played
around a bit with Apache ActiveMQ and that would seem to work.
I suppose another option would be to provide a "signout action url" that
would get registered in CAS when an application calls the CAS login action.
-Scott
On 3/6/07, *Stephen Lynn* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
So if I'm understanding you correctly, CAS does not support the
notion of a cross-site logout? Meaning that if I have used CAS to
login to sites A and B and I hit a logout button on site A, site B
will have no way of knowing (via some CAS mechanism) that I logged
out.
Does that make sense? We're not only looking for a single sign on
but also a single sign out as well.
Stephen
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> [mailto:
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>]
*On Behalf Of *Scott Battaglia
*Sent:* Thursday, March 01, 2007 4:15 PM
*To:* Yale CAS mailing list
*Subject:* Re: sso authentication process
Stephen,
A site does not need to use gateway=true. You use gateway=true if
you're merely interested in knowing if a SSO on session exists.
If you want to start a session if one does not exist, you would
leave off the gateway=true.
CAS currently does not maintain state of what applications have
used CAS to log in (they are all responsible for their own
sessions). Each application's session is independent of all other
application's sessions. Thus, no one needs to check in with CAS.
-Scott
On 2/28/07, *Stephen Lynn* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I'm fairly new to CAS so this may be a dumb question but it's a
question I'm having anyway. We are working on setting things up
to enable SSO for our University's websites. I'm curious what the
recommended approach to this is.
As I understand it, a site that wants to use SSO needs to redirect
the browser to CAS passing it the gateway=true parameter so CAS
can determine if the browser has a current session and then return
a session ticket to the requesting site if the person is logged
in. Using this model, it appears that a site will need to
redirect every page request to CAS so the site will be aware of
any logins/logouts on other sites using CAS and act
appropriately. That seems like a lot of overhead and could be
very problematic for things like form submissions.
Is this the recommended approach for SSO and keeping individual
site sessions in sync with the browser's CAS session? Am I
missing something?
Stephen Lynn
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected] <mailto:[email protected]>
http://tp.its.yale.edu/mailman/listinfo/cas
--
-Scott Battaglia
LinkedIn: http://www.linkedin.com/in/scottbattaglia
<http://www.linkedin.com/in/scottbattaglia>
------------------------------------------------------------------------
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
