sso authentication process

John Fereira jaf30 at cornell.edu
Wed Mar 7 14:23:04 EST 2007 

Scott Battaglia wrote:
> CAS 3 does not currently support single sign out.  CAS 3.1 will 
> support single sign out.  Though, I'm not sure if we would support the 
> scenario where logging out of one particular application logged you 
> out of everything (or even notified other applications).
>
> Our initial scenario would probably be if your CAS session timed out 
> or you explicitly logged out of CAS it would notify all applications 
> from that CAS session.
>
> But again, we haven't finalized everything yet so we are interested in 
> feedback.
I am curious about you're think about how this would be implemented.  
The suggestion that CAS could send a message to a message queue would 
seem to work, but every application that wanted to participate in single 
signout would have to implement a message queue listener.  I've played 
around a bit with Apache ActiveMQ and that would seem to work.

I suppose another option would be to provide a "signout action url" that 
would get registered in CAS when an application calls the CAS login action.


>
> -Scott
>
> On 3/6/07, *Stephen Lynn* <stephen_lynn at byu.edu 
> <mailto:stephen_lynn at byu.edu>> wrote:
>
>     So if I'm understanding you correctly, CAS does not support the
>     notion of a cross-site logout?  Meaning that if I have used CAS to
>     login to sites A and B and I hit a logout button on site A, site B
>     will have no way of knowing (via some CAS mechanism) that I logged
>     out.
>
>      
>
>     Does that make sense?  We're not only looking for a single sign on
>     but also a single sign out as well.
>
>      
>
>     Stephen
>
>      
>
>     ------------------------------------------------------------------------
>
>     *From:* cas-bounces at tp.its.yale.edu
>     <mailto:cas-bounces at tp.its.yale.edu> [mailto:
>     cas-bounces at tp.its.yale.edu <mailto:cas-bounces at tp.its.yale.edu>]
>     *On Behalf Of *Scott Battaglia
>     *Sent:* Thursday, March 01, 2007 4:15 PM
>     *To:* Yale CAS mailing list
>     *Subject:* Re: sso authentication process
>
>      
>
>     Stephen,
>
>     A site does not need to use gateway=true.  You use gateway=true if
>     you're merely interested in knowing if a SSO on session exists. 
>     If you want to start a session if one does not exist, you would
>     leave off the gateway=true.
>
>     CAS currently does not maintain state of what applications have
>     used CAS to log in (they are all responsible for their own
>     sessions).  Each application's session is independent of all other
>     application's sessions.  Thus, no one needs to check in with CAS.
>
>     -Scott
>
>     On 2/28/07, *Stephen Lynn* <stephen_lynn at byu.edu
>     <mailto:stephen_lynn at byu.edu>> wrote:
>
>     I'm fairly new to CAS so this may be a dumb question but it's a
>     question I'm having anyway.  We are working on setting things up
>     to enable SSO for our University's websites.  I'm curious what the
>     recommended approach to this is. 
>
>      
>
>     As I understand it, a site that wants to use SSO needs to redirect
>     the browser to CAS passing it the gateway=true parameter so CAS
>     can determine if the browser has a current session and then return
>     a session ticket to the requesting site if the person is logged
>     in.  Using this model, it appears that a site will need to
>     redirect every page request to CAS so the site will be aware of
>     any logins/logouts on other sites using CAS and act
>     appropriately.  That seems like a lot of overhead and could be
>     very problematic for things like form submissions.
>
>      
>
>     Is this the recommended approach for SSO and keeping individual
>     site sessions in sync with the browser's CAS session?  Am I
>     missing something?
>
>     Stephen Lynn
>
>      
>
>
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>
>      
>
>
>     _______________________________________________
>     Yale CAS mailing list
>     cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
>     http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> -- 
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia 
> <http://www.linkedin.com/in/scottbattaglia>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070307/47533987/attachment.html

More information about the cas mailing list