I'm relatively new to CAS, so please forgive me if this is common knowledge - I've searched, but not found any real clear direction.
We are using CAS with multiple CAS-integrated applications. I recognize that CAS is currently a single-sign-on system, but not technically a single-sign-out system. Currently, when a user logs out of any one integrated application, it performs the logout process for that application, then redirects to CAS and ends the CAS session. This is causing some problems, in particular because some of our apps communicate with others. In one example, an AJAX 'dashboard' component in SystemA queries SystemB (based on the user's identity from the CAS session) and displays summary information from SystemB (for the user) in SystemA - if the user visits SystemB directly however, then hits 'logout', SystemA can no longer query SystemB, thus breaking the dashboard. In another example, a centralized search system indexes content from each of the applications, and at results rendering time, performs authorization on results from each system based on the user's CAS-identified identity (to determine whether the user has privs to see the potential search hit or not). If a user was previously authenticated to to CAS and SystemX, but has subsequently logged out, the search component then requires them to log back into CAS, even though they've never left the search application. It seems to me, as someone relatively new to this process, that ideally, upon application logout, CAS would examine whether or not the user still has an active session in any 'registered' applications (perhaps through examination of a browser cookie?), and if the user is logging out of the last active application session, then the CAS session would be terminated, but if there were any other 'registered' application sessions still active, then the CAS logout would not occur. (just the logout of the app from which the user hit the 'logout' link.) I don't want to tread on any sacred CAS/security ground on this, so am appealing to those more in the know to let me know if this is mere sacrilege, true security risk or perhaps even an impossibility. Thanks! _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
