logout and misc Qs --shib idp

Cantor, Scott cantor.2 at osu.edu
Tue Nov 20 09:41:26 EST 2012

On 11/20/12 9:31 AM, "Michael A Grady" <mgrady at unicon.net> wrote:
>To confirm, what you are suggesting is that the clean approach to this is
>to turn off the PreviousSession Handler and leave the Shib session cookie
>alone (to avoid other possible side effects on the current IdP). Create a
>new login handler that relies on its own session cookie to provide
>"remember me" SSO as desired.

Yes. My login handler does all of that except the "bypass SSO" part. I
have a rough idea of the change required to do that and planned to do it
for my own use at some point.

The other option I can think of is something that manipulates the
authentication duration on the method that's added to the session after
the login handler runs. That's normally a statically defined configuration
property. I don't know if it could be made dynamic or not. I can take a
brief look at that later today and perhaps suggest something.

A 2.4 release means that APIs can be added, so for example it might be
possible to add a new request attribute set by the LoginHandler layer that
can affect the authentication duration on the method that's added to the
session. Ultimately that is what controls SSO when the PreviousSession
handler is enabled.

-- Scott

More information about the users mailing list