SP Without SSO...
John Mitchell
jpmitchell at alaska.edu
Thu Sep 15 22:39:04 BST 2011
Scott,
On Wed, Sep 14, 2011 at 4:14 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 9/14/11 5:57 PM, "John Mitchell" <jpmitchell at alaska.edu> wrote:
>
>>With this configuration
>>the only way to make things work is to ask the IdP to logout the first
>>user so the second user can login since forceAuthN expects the user to
>>stay the same in the session. The user experience in this case when
>>the user goes to use other services integrated with the IdP is less
>>than optimal since the user expects to just be "logged-in" to the
>>other apps.
>
> Peter's point aside, it seems like the closest you'd come to this kind of
> thing is really to simulate a logout, and have the SP direct the user
> needing this capability to a script on the IdP server that clears his
> cookies and then proceeds with the login request.
>
> That way you can bypass the existing identity at the IdP, but he stays
> logged in as he was to any other services.
>
> Maybe. Probably a hole in there somewhere.
>
I wondered about that as well and if it would come up. I am not
real keen on this one as it seems like it could be very difficult to
support in certain cases. I think I am stuck with a second IdP.
I am also anticipating that the kiosk use case is coming (I am
hearing noises) for some of these applications as well, so I may be
forced into a second IdP anyway.
Thanks for your time.
> -- Scott
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
John P. Mitchell <jpmitchell at alaska.edu>
907.450.8320
http://www.alaska.edu/oit/iam
"All mankind is divided into three classes: those that are immovable,
those that are movable, and those that move." - Benjamin Franklin
More information about the users
mailing list