morgan at orst.edu
Tue Nov 13 12:48:43 EST 2012
On Mon, 12 Nov 2012, Michael A Grady wrote:
> On Nov 12, 2012, at 6:09 PM, Andrew Morgan wrote:
>> This will expire the 2 IDP cookies, invalidate the session, and
>> redirect to the CAS logout page (we delegate auth to CAS).
> If I may ask, if you delegate auth to CAS, why do you have the IdP keep
> a session in the first place? Why not turn off the PreviousSession
> Handler in the IdP, and have the only "SSO Session" be with the CAS
> Server? You still likely want a page After the CAS logout letting the
> user know what they have and haven't been logged out of, and what they
> can do to finish logging out of other things. (And you could similarly
> decide if you are automatically going to log the user out of the CAS
> Server, or give them the option of doing so.)
If I turn off the PreviousSession Handler, will Shibboleth stop using the
IDP cookie, or does the IDP cookie have another purpose?
I still haven't decided how to handle SSO logout in our environment.
Based on what I read here and on the web, we may need some complicated
verbiage on our logout page. :(
More information about the users