Hi Jared, Google Apps is missing SAML Single Sign Out support, which is what you are asking for. With browser security, it's not possible to programmatically get or set the cookies for another domain, which is why you would need to redirect to the Sign out URL.
Here's an approach which occurs to me might address the problem you are describing. It's kludgy. 1. Modify your SAMLResponse form to have two buttons "Go to Email" or "Exit Email". 2. Modify the Sign out URL in SSO settings to point to the URL in step 1. 3. Instead of linking to the normal email URL from the portal, link to the Sign out URL. When a user clicks on the email link in the portal, they open a window to the Sign out URL. This clears the session cookies and then forwards (because of step 2) to the URL in step 1. Then if the user clicks on the "Go to Email" button, then are redirected to Google Apps and a new session is started. If the user clicks on "Exit Email" button, they do not go to Google Apps, so no new session is started (and optionally the window is closed). Another use case is if a user clicks on the Sign out link in Gmail. This also redirects them to the URL in step 1. In this case they see the same buttons as when they are signing in, but would probably click on "Exit Email". The key is that you never link directly to the normal email URL in your portal but always link to the Sign out URL. It's not foolproof, but it reduces the occurrences common use case that you described. In addition to this, as a general practice you could advise users to close the browser. Or maybe there are browser tweaks or plug-ins for making it more secure in a multi-user environment. I'm hoping some other admins can chime in with other approaches to solving this problem. Thanks for bringing it to light. -alex On Jan 18, 5:49 am, JWise1203 <[EMAIL PROTECTED]> wrote: > Would there be any way to do this programmatically? We would like to > remove any Google session objects before we refer them > tohttp://mail.google.com/a/domain.com > > This way, we can ensure that even if the student does not log out of > their Google mail and/or our Student Portal properly (therefore never > being sent to:http://mail.google.com/a/domain.com/?logout), we will > be securing privacy by removing session cookies automatically each > time before SSO redirect. > > This is a huge issue for us as we have many open computer areas which > are shared by many students who may not close all browser windows > after they are finished their work. > > On Jan 17, 6:48 pm, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > Hi Jared, > > > There is a session cookie which is cleared if Student A clicks "Sign > > out". If Student A does not click "Sign out", the session will be > > resumed when the browser goes tohttp://mail.google.com/a/domain.com > > again. Closing the browser window is not enough to clear the cookie. > > The "Sign out" link looks like: > > >http://mail.google.com/a/domain.com/?logout > > > What some admins have done is to forward the user to that URL as part > > of their own log off process. > > > -alex > > > On Jan 16, 4:13 pm, JWise1203 <[EMAIL PROTECTED]> wrote: > > > > We have the following situation: > > > > 1. Student A logs into Google mail via .NET SSO API from our student > > > portal. > > > 2. Student A reads their mail from a (window.open()) page. > > > 3. Student A closes the Google mail window once finished (without > > > clicking the "sign out" link). > > > 4. Student A logs off the student portal (original referring page), > > > but does not close the browser. > > > 5. Student A leaves. > > > 6. Student B (new) logs into the student portal using the same > > > browser > > > and their portal student information shows correctly. > > > 7. Student B logs into Google mail (window.open()) and (wait for > > > it) . . . they receive Student A's email account. > > > > It looks like the "session" is not closing on the API request. > > > Meaning, if Student A was successful in logging into the Google Mail > > > service, then when Student B logs in, it is still authenticated and > > > uses A's credentials. NOTE: When the student clicks "Sign Out", the > > > page does load the next student's account login correctly, as > > > expected. > > > > Thoughts? > > > > -Jared- Hide quoted text - > > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
