Thanks, i think my understanding of SLO is correct. The apps are looking to CAS to handle synchronized idle timeout. for instance, i am in both A and B, i switch from A to B and stays in B for one hour. A will idle timeout, but what they want is, if A and B are both up, as long as user is active in one app., user should be active in both. This requires some kind of session manager, which is beyond CAS.
On Tue, Mar 26, 2024 at 12:17 AM Ray Bon <r...@uvic.ca> wrote: > Yan, > > Single logout is messy business. > > Cas has a session that is independent from an application session. Cas > session may be longer or shorter than an application, it may have different > settings and conditions for how its length is determined. > Application participation in single log out can be set in the service > definition (or disabled globally). > Cas, by default, will send a logout request to each application under a > ticket granting ticket. So if user logs out of an application and it sends > the user to the cas logout page, cas will try to log user out of other > applications. Whether those applications honour the logout request is up to > the individual application. > So if application B idles out and sends a logout to cas, then cas sends a > logout request to A; If A honours that request, then user could lose > unsaved work. > > When you refer to 'idle timeout', are you referring to cas session or > application session? > > When Cas session times out (idle timeout or otherwise), the TGT is > removed, no single logout takes place (nor can it take place if requested > by an application). > > > Ray > > Single Log Out is not what you think it is; and it will never do what you > want. > > On Mon, 2024-03-25 at 12:35 -0700, Yan Zhou wrote: > > Notice: This message was sent from outside the University of Victoria > email system. Please be cautious with links and sensitive information. > > Hi, > > Two webapps, both protected by CAS. user is in both apps via SSO. > > when user idle timeout kicks in, he is also logged out of CAS, i believe > this is the correct behavior. Otherwise, after idle timeout, simply > accessing B will get user in right away, which is a security problem. say, > User walks away, app's idle timeout kicks in, but SSO session is still > valid, now, some one else comes and access the app, that person would be > right in B without being prompted for credentials. > > this brings up another usability problem. say, user is busy in one app A > and idle in the other app B. B's idle timeout kicks in and also logged out > of CAS. User remains in A, but when he access B, he is prompted for > credentials (no SSO since CAS SSO session was already terminated). > > is my understanding correct? > > Thanks, > Yan > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/ODAW7-hM5Dw/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c7d3fa7c1e5dff6f251addaf8246a66b67067cd.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/3c7d3fa7c1e5dff6f251addaf8246a66b67067cd.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFSoZem8b22yGOZuaS9YP35sZ5OyK7iNqqSDTsQn8oPbVOQg4Q%40mail.gmail.com.
