sso authentication process

Stephen Lynn stephen_lynn at byu.edu
Tue Mar 6 14:26:27 EST 2007 

So if I'm understanding you correctly, CAS does not support the notion
of a cross-site logout?  Meaning that if I have used CAS to login to
sites A and B and I hit a logout button on site A, site B will have no
way of knowing (via some CAS mechanism) that I logged out.

 

Does that make sense?  We're not only looking for a single sign on but
also a single sign out as well.

 

Stephen

 

________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Scott Battaglia
Sent: Thursday, March 01, 2007 4:15 PM
To: Yale CAS mailing list
Subject: Re: sso authentication process

 

Stephen,

A site does not need to use gateway=true.  You use gateway=true if
you're merely interested in knowing if a SSO on session exists.  If you
want to start a session if one does not exist, you would leave off the
gateway=true. 

CAS currently does not maintain state of what applications have used CAS
to log in (they are all responsible for their own sessions).  Each
application's session is independent of all other application's
sessions.  Thus, no one needs to check in with CAS. 

-Scott

On 2/28/07, Stephen Lynn <stephen_lynn at byu.edu> wrote:

I'm fairly new to CAS so this may be a dumb question but it's a question
I'm having anyway.  We are working on setting things up to enable SSO
for our University's websites.  I'm curious what the recommended
approach to this is.  

 

As I understand it, a site that wants to use SSO needs to redirect the
browser to CAS passing it the gateway=true parameter so CAS can
determine if the browser has a current session and then return a session
ticket to the requesting site if the person is logged in.  Using this
model, it appears that a site will need to redirect every page request
to CAS so the site will be aware of any logins/logouts on other sites
using CAS and act appropriately.  That seems like a lot of overhead and
could be very problematic for things like form submissions.

 

Is this the recommended approach for SSO and keeping individual site
sessions in sync with the browser's CAS session?  Am I missing
something?

Stephen Lynn

 


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070306/bf2ff82d/attachment.html

More information about the cas mailing list