SP Without SSO...
Cantor, Scott
cantor.2 at osu.edu
Thu Sep 15 01:14:00 BST 2011
On 9/14/11 5:57 PM, "John Mitchell" <jpmitchell at alaska.edu> wrote:
>With this configuration
>the only way to make things work is to ask the IdP to logout the first
>user so the second user can login since forceAuthN expects the user to
>stay the same in the session. The user experience in this case when
>the user goes to use other services integrated with the IdP is less
>than optimal since the user expects to just be "logged-in" to the
>other apps.
Peter's point aside, it seems like the closest you'd come to this kind of
thing is really to simulate a logout, and have the SP direct the user
needing this capability to a script on the IdP server that clears his
cookies and then proceeds with the login request.
That way you can bypass the existing identity at the IdP, but he stays
logged in as he was to any other services.
Maybe. Probably a hole in there somewhere.
-- Scott
More information about the users
mailing list