short-circuit SSO?

Cantor, Scott cantor.2 at
Mon Nov 19 13:32:44 EST 2012

On 11/19/12 1:00 PM, "Russell Beall" <beall at> wrote:

>That's what I see also.
>So, instead of manipulating the session, I believe there is a way to do a
>post-login filter, and I would like to use that to delete the cookies
>similar to the way our logout page works, but it would need to be past
>the point where the session needs to be referenced from those cookiesŠ
>Is that doable, or would that be too "hack"-ish and risky?

It just depends when it runs. The problematic part is that the session has
to be there for the life of the profile handler to complete the run
because that's where the user identity comes from (this is a major issue
to me, and something V3 has to change).

One possible place to do it, you might be able to clear the cookie in the
SAML binding templates, which you can override by sticking copies into
WEB-INF/classes/templates. I suppose you could stick Javascript in the
template that clears the cookie on the client side. But that only works
with Javascript of course, and it wouldn't work for artifact binding

-- Scott

More information about the users mailing list