sso authentication process

[David Spencer]

--On 06 March 2007 15:43 -0500 Scott Battaglia <scott.battaglia at gmail.com> 
wrote:

> CAS 3 does not currently support single sign out.  CAS 3.1 will support
> single sign out.  Though, I'm not sure if we would support the scenario where
> logging out of one particular application logged you out of everything (or
> even notified other applications).

If an application participates in CAS single sign on (ie. doesn't pass the 
renew=true parameter) then an application local logout without an associated 
CAS logout can be quite confusing to users. Clicking login on the application 
simply does single sign on and logs you back in without asking for your 
password. "What was the point of logging out?" ask our users. Developers know 
that resources have been released, work committed etc but users don't see any 
of that.

We've not been very effective in educating our users about the distinct nature 
of CAS sessions and application sessions. I'm sure some users know they are 
distinct, others think they are the same and others think they are both 
distinct and the same simultaneously. The situation is not helped by some 
client applications redirecting to the CAS logout page and others always using 
renew=true so the user can get quite mis-leading messages.

I'm groping towards what I want out of Single Sign Out and I suppose I hope to 
be able to use three distinct types of logout:
i) application local logout: equivalent to session.invalidate()
ii) CAS logout: TGT invalidation - exactly as now
iii) Single Sign Out: all client applications contacted with logout instruction

Ordinarily, I would expect an application's logout action to combine i) and 
ii), invalidating the local session and then redirecting to CAS logout. Any 
definite, user-driven decision to logout of any application seems to me a good 
time to invalidate the TGT. This would mean that users logging out of an 
application wouldn't be able to get back in without offering their password.

I would hope that the CAS logout page could list the client applications that 
CAS believes are still logged in and offer a 'Single Sign Out' link. I would 
further hope that the list of applications wasn't tied to the TGT just expired, 
but that it could persist and grow across the lifetimes of several TGTs. I'm 
guessing this would not be very straightforward to implement, but I don't know 
the CAS 3 code-base at all.

I'm very hopeful that CAS 3.1 will offer me at least a good starting point for 
implementing single sign out and reducing our users' confusion.

Dave

----------------------
David Spencer
Information Systems and Computing
University of Bristol