SSO Inactivity Timeout

Jason Shao jayshao at rutgers.edu
Fri Nov 3 16:02:07 EST 2006 

Scott Battaglia wrote:
> Nick,
> 
> Ticket expiration is not only checked when its retrieved.  You can check 
> ticket expiration at any time.  One time is obviously when someone 
> retrieves the ticket to use it.  The other scenario is when a 
> RegistryCleaner goes through and cleans up expired tickets.  So if your 
> expiration policy says a ticket has to have been used within the last 
> last 20 minutes and it hadn't it will be cleaned up when either (a) 
> someone attempts to use it or (b) when the cleaner runs through the 
> registry.
> 
> -Scott

Nick,

The key here seems to be that you want inactivity on the client computer 
  (e.g. a user walking away from their workstation) to trigger ticket 
expiration.  At the same time, if a user was at their workstation (in 
Word or something else) you DON'T want to expire their ticket early.

So what you seem to need is a way to monitor workstation activity and 
pass that on to the CAS server.  There doesn't appear to be a real way 
to do that only on the server.  In general, it seems like you could:

1. Trigger a message which gets sent to the CAS server when a 
workstation becomes inactive (e.g. when the screen saver fires, you also 
kill the SSO session)

2. Provide a "heartbeat" where as long as a user is active on their 
workstation, a session with a short inactivity timeout is renewed.  If 
the heartbeat signal isn't recieved then CAS expires the TGT based on 
inactivity.

3. Have a very short activity timeout, combined with transparent 
re-authentication via SPNEGO or x.509 certificates or some other 
non-interactive login.  That way, even if the TGT expires, users don't 
have to reenter passwords and have a seemless experience.  Not sure the 
implications of this if you use lots of proxy tickets.

Both of these cases seem like they would require custom software on the 
workstation (unless you have an existing Windows or security suite that 
provides appropriate hooks)

Jason
-- 

Jason Shao
Application Developer, Architecture & Engineering Team
Rutgers University - Enterprise Systems & Services
v. 732-445-2869 | f. 732-445-5493 | jayshao at rutgers.edu

More information about the cas mailing list