silent login use-case
Renaud Bruyeron
bruyeron at fullsix.com
Thu Jul 6 04:58:17 EDT 2006
Hello,
I am looking for solutions to a fairly typical scenario (imho) when
dealing with SSO.
Let's assume I have 2 webapps A and B that are part of the same SSO
domain. My problem looks like this:
1) user goes on webapp A and surfs anonymously
2) user jumps to webapp B, and then logs in on CAS
3) user goes back to webapp A - the session is still valid there, and
user is anonymous again!
Internally I termed this scenario the "silent login use-case": from
webapp A's point of view, the user silently logged into the SSO domain,
and webapp A has no way of knowing this.
How would you approach this problem?
I see several solutions, all with their own limitations:
* use renew=true for every request: prohibitive
* perform a gateway round-trip with CAS when we have a sessionCreated()
event: this deals with the simplified use-case where user does not first
go to webapp A, but it does not solve the complete use-case
* if A and B are on the same domain (*.mydomain.net), use a CAS-managed
session cookie on .mydomain.net that contains a hash of the identity.
This way webapp A can listen for changes to this cookie and trigger a
gateway round-trip. This solves the problem completely, but it does not
work if the SSO domain spans multiple DNS domains
* modify CAS to keep track of all sessions on all webapps (by doing a
gateway roundtrip on sessionCreated() events) for each user, and invoke
a logout url for all active sessions when there is successful login.
This could work but it does feel a bit hackish.
What do you think?
- Renaud
More information about the cas
mailing list