sso authentication process

Tue Mar 6 15:43:56 EST 2007

CAS 3 does not currently support single sign out.  CAS 3.1 will support
single sign out.  Though, I'm not sure if we would support the scenario
where logging out of one particular application logged you out of everything
(or even notified other applications).

Our initial scenario would probably be if your CAS session timed out or you
explicitly logged out of CAS it would notify all applications from that CAS
session.

But again, we haven't finalized everything yet so we are interested in
feedback.

-Scott

On 3/6/07, Stephen Lynn <stephen_lynn at byu.edu> wrote:
>
>  So if I'm understanding you correctly, CAS does not support the notion of
> a cross-site logout?  Meaning that if I have used CAS to login to sites A
> and B and I hit a logout button on site A, site B will have no way of
> knowing (via some CAS mechanism) that I logged out.
>
>
>
> Does that make sense?  We're not only looking for a single sign on but
> also a single sign out as well.
>
>
>
> Stephen
>
>
>  ------------------------------
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Thursday, March 01, 2007 4:15 PM
> *To:* Yale CAS mailing list
> *Subject:* Re: sso authentication process
>
>
>
> Stephen,
>
> A site does not need to use gateway=true.  You use gateway=true if you're
> merely interested in knowing if a SSO on session exists.  If you want to
> start a session if one does not exist, you would leave off the gateway=true.
>
>
> CAS currently does not maintain state of what applications have used CAS
> to log in (they are all responsible for their own sessions).  Each
> application's session is independent of all other application's sessions.
> Thus, no one needs to check in with CAS.
>
> -Scott
>
> On 2/28/07, *Stephen Lynn* <stephen_lynn at byu.edu> wrote:
>
> I'm fairly new to CAS so this may be a dumb question but it's a question
> I'm having anyway.  We are working on setting things up to enable SSO for
> our University's websites.  I'm curious what the recommended approach to
> this is.
>
>
>
> As I understand it, a site that wants to use SSO needs to redirect the
> browser to CAS passing it the gateway=true parameter so CAS can determine if
> the browser has a current session and then return a session ticket to the
> requesting site if the person is logged in.  Using this model, it appears
> that a site will need to redirect every page request to CAS so the site will
> be aware of any logins/logouts on other sites using CAS and act
> appropriately.  That seems like a lot of overhead and could be very
> problematic for things like form submissions.
>
>
>
> Is this the recommended approach for SSO and keeping individual site
> sessions in sync with the browser's CAS session?  Am I missing something?
>
> Stephen Lynn
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>

-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070306/5a435bad/attachment.html 