HomeBlogsask0500's blog

SSO issues

Sat, 2007-03-24 14:36 — ask0500
5
Average: 5 (1 vote)

Hi,
We installed CAS on our Luminis 3.3.3.64 installation and made couple of applications (web based-PHP) to be SSO apps with our luminis server. The issue we are having is with the browser saving a user's details even after he/she logs off. to explain in detail i can list the steps a student takes:

Scenario:

1)Student A logs in the Luminis portal which has SSO capability with couple of other homegrown PHP based web applications. All the applications are available to the student with this one sign-in to luminis.

2)lets say student A checks his/her grades, classes, schedules and financial information.

3) Student A clicks the Log-off button and logs off the Luminis portal. student A doesn't close the browser window though. According to him, since he logged off his account, he doesn't have to worry about his account being seen by anybody else (lets say if he logs in a library-on a public machine, the next person who uses that machine to login to the portal technically shouldn't be able to see student A's financial records, student A's grades etc.,)

But unfortunately in the above mentioned situation, where a student logs off but forgets to close his browser is at a potential risk of making his information public. Is there anyway we can kill his session completely right after he logs-off irrespective of whether he closes the browser or not?

Thanks,
Shiva

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Sat, 2007-03-24 18:21 — cfont

Which CAS did you install?

Which CAS did you install? The one on the Luminis CD or one from JA-SIG? I'm not sure how the one on the Luminis CD is configured or how you're integrated applications are configured but I know that CAS supports a logoff method you should be able to call once they log off the portal. This should sign them out of those applications. Again, I'm not sure how the Luminis CAS implementation is set up or how much they will let you modify it but this would the avenue to explore for sure.

Tue, 2007-03-27 12:23 — dwisehaupt

This is a tough one

You should probably look at the CAS mailing list archives for information dealing with logout and Single Sign-Out. http://www.ja-sig.org/products/cas/community/lists/index.html

The issue is that the CAS server tracks the global session, but individual application will end up tracking their own session. Since there isn't currently a Single Sign-Out mechanism in CAS (supposed to be in the 3.1 release) there are a couple of workaround that can be put in place.

One workaround is to provide logout buttons for each service which will call /cp/cas/logout?service=service_name to logout of specific services. Also, there are some people working on setups where the CAS server is modified to track all the logout urls for services that the person accesses and then when the "global" logout is selected, the server would then contact all other services to force a logout.

So, in sort, there is no global logout functionality currently, aside from closing the browser.

Dallas

ps. I'm not sure if these two talks would give you more information, but they are "just out" and may be of use.
http://support.unicon.net/node/612
http://support.unicon.net/node/617

Fri, 2007-04-06 15:01 — kellyda

Modifying the Luminis Logout Page

We have CAS set up and are using it as single sign-on to a number of homegrown Web applications that we pull into the portal as channels. If someone logs out of the portal but leaves the browser window open, the next user to log into the portal from that window gets the first user's Web apps. Not good. We have been wondering if there is a way to modify the Luminis logout procedure/page to include closing the browser window - effectively killing that CAS session.