Problem with CAS sessions
Fri, 2008-05-02 00:03 — wjdennen
There were several great sessions at Summit about using CAS to integrate external applications into Luminis. I found that it was pretty easy to set up phpcas on a web server and bring a simple php app into a tab in the portal.
I found a Wordpress plugin which will basically CASify Wordpress.
However... when including a Wordpress page in the portal using an inline html frame, I have a problem.
Logging out of Lumnis does not seem to kill the CAS credentials. The user still has access to Wordpress, even though they are logged out of Luminis.
Is there some magic required to make this happen the way one would expect? I'd expect that you log out of Luminis and this kills any CAS session you have open. Or, do I just have it wrong?
Thanks.
- wjdennen's blog
- Login or register to post comments
Hack Your Knowledge
Recent blog posts
- SCT Banner Administrator Needed
- Maintaining Subscriptions & Calendar Sets When Rebuilding Accounts in Luminis 3.3.3.142 on Win 2000
- Creating a New Fragment and Assigning a Layout Owner
- Compiling usage stats
- Mashup for Social Good
- Group Tools Version 2.0 (Contains Group Activity and Group Request channels)
- Luminis Platform 4.0.2.0 build 177 - Issue with early user timeouts
- Luminis IV and database restarts - The answer.
- https
- Custom Luminis API
Developer Links
Poll
If there were a Luminis Developers Conference, would you prefer it in -
early spring
14%
late spring
16%
early summer
29%
late summer
7%
early fall
9%
late fall
14%
early winter
8%
late winter
3%
Total votes: 174
Syndicate
Comments
SSO(o) can mean two things
SSO = single sign-on
(and)
SSo = single sign-out
CAS does not do single sign-out. That is, when you sign out of a CAS-ified application, you are only signing out of that particular application, but your CAS ticket remains valid. This is by design, and I do not disagree with this design, it is what it is.
CPIP, on the other hand, does do single sign-out, because of the virtue of where you are signing out: at the portal. CPIP can (and will) send logout commands to all of the external systems that a user has signed into.
We regard these two different behaviours as good, and each is better suited to certain applications. We use CPIP for things like our password change utility - if the user signs out of the portal, we want to make sure their password change page cannot be used after the fact. We use CAS for things that do not need such high security designs, like blogs - if a user signs out of the portal, perhaps they were still working on their blog entry, and we don't want them to lose all of their work.
What I've recently been considering is having a CAS-ified application in an IFRAME on the logout page. If that application detects that the user still has a valid CAS ticket, it can offer to log them out of CAS (by them clicking a second logout button), otherwise it displays nothing. We haven't had to do that locally, since as I mentioned we're fine with people remaining logged into their blogs. If CAS were more widely deployed locally, perhaps we'd feel differently.
Todd
Safari and IE & iFrames
Hi,
Has anyone also seen this problem?
We are using iframe channels to pull in a CASified application. It works fine in Firefox and IE6.
However, is Safari and IE7, the frames fail to load. They seem to get into an endless loop and fail.
Thanks-
Bill