SP Without SSO...

John Mitchell jpmitchell at alaska.edu
Thu Sep 15 22:39:04 BST 2011


On Wed, Sep 14, 2011 at 4:14 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 9/14/11 5:57 PM, "John Mitchell" <jpmitchell at alaska.edu> wrote:
>>With this configuration
>>the only way to make things work is to ask the IdP to logout the first
>>user so the second user can login since forceAuthN expects the user to
>>stay the same in the session. The user experience in this case when
>>the user goes to use other services integrated with the IdP is less
>>than optimal since the user expects to just be "logged-in" to the
>>other apps.
> Peter's point aside, it seems like the closest you'd come to this kind of
> thing is really to simulate a logout, and have the SP direct the user
> needing this capability to a script on the IdP server that clears his
> cookies and then proceeds with the login request.
> That way you can bypass the existing identity at the IdP, but he stays
> logged in as he was to any other services.
> Maybe. Probably a hole in there somewhere.

    I wondered about that as well and if it would come up. I am not
real keen on this one as it seems like it could be very difficult to
support in certain cases. I think I am stuck with a second IdP.
    I am also anticipating that the kiosk use case is coming (I am
hearing noises) for some of these applications as well, so I may be
forced into a second IdP anyway.

Thanks for your time.

> -- Scott
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

John P. Mitchell <jpmitchell at alaska.edu>

"All mankind is divided into three classes: those that are immovable,
those that are movable, and those that move." - Benjamin Franklin

More information about the users mailing list