Single Sign-Out and Session Management

August 10, 2005

When dealing with portals we all get very excited about single sign-on (SSO), but I think we often forget single sign-out or overall session management. The end user really gets the main visual benefit from SSO, so this is what I find myself concentrating on. Yet, if somehow connections to external systems are not addressed when a user logs out, you have a potential security problem.

So, the apparently easy solution is to set things up so all sessions on externally connected systems are destroyed when a user logs out. But what if the user wants one of the external systems open? Personally I think that one is easy too, they learn from experience that all connected systems are logged out.

But, what if they don’t explicitly log out, but rather their session expires from inactivity? You certainly don’t want to log someone out of an external system when they might in fact be active in that external system. This leads to the need to be able to make a call which checks with the external system to see if a user is still active in that system. Then the portal can extend its timeout to wait for the external system.

In a perfect world, an external system could log a user out on demand and could also return some sort of last activity for the user in their system. We don’t live in a perfect world. Very few systems are likely to understand how to do these two things straight out of the box. This leaves us trying to find some reasonable middle ground on an application by application basis.When we consider all these things and determine a way to accomplish this, we are no longer talking about single sign-out but complete session management. Just logging someone out is single sign-out, logging someone out conditionally and handling timeouts intelligently is session management. Obviously a well integrated external system will employ session management.

In our environment we have recently been opting for YaleCAS (or just CAS) as a solution to integrate all homegrown external systems. The phpCAS library we use does not do session management appropriately. Luckily we should be able to modify it to make this all work out.

For other systems we use Campus Pipeline Integration Protocol (CPIP). CPIP is far more complex that CAS, but does allow for complete session management. So for now, we need to use CPIP for important, secure apps, and be aware of the limitations of CAS.

cas, cpip, identity management, phpcas, security, session management, single sign on, single sign out, sso, yalecas, authentication, authn

Tags: , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Technology Bits 


Comments

6 Responses to “Single Sign-Out and Session Management”

  1. NoSheep! » Arguing for Mutual Benefit on November 9th, 2005 7:50 pm

    [...] Sometimes I’ll even find myself arguing an idea I’m not yet certain about, or a side of an argument I don’t entirely agree with. In these cases I’m looking to the other person to either succeed or fail in building their own opposing side. This can then help me to solidify my feelings. I recently employed this technique in trying to figure out my opinions on single sign out. I argued against doing it at all. I then walked away and did my research finding that all I needed was to learn that single sign out is not the whole story, I needed to be talking about session management. [...]

  2. neiw dxspmqy on October 25th, 2006 2:41 am

    taoejw zlxdnvque icxftjwg efnxsgt pvlaoygus dmhv tmvalb

  3. ofgjpd cbatkxm on October 25th, 2006 2:44 am

    vasncytb afiychml bxzowhcr flnxp vwprynfu kevsru lpqjefmvi http://www.ifcdqsz.hnfgrozcl.com

  4. nxewfvyvhd on January 23rd, 2007 1:37 pm

    kovmts

  5. Kir on December 19th, 2007 12:10 pm

    .kjiujbiubiujbiujbiubiubiubiubiubi

  6. Bill on May 1st, 2008 10:55 pm

    Could you elaborate on how you’ve modified phpcas to deal with session management properly? Thanks.

Got something to say?





User contributed tags: t (162) - single sign out (60) - cas single sign out (54) - php5 + session management (32) - Single sign on session management (29) - single sign on session (29) - SSO session (25) - f (24) - SSO Session Management (20) - php session inactivity (18) - php sso (17) - "session management" sso (16) - cas session timeout (15) - sign-out in PHP (14) - php sign out session (14) - php signout (14) - php session timeout (13) - signout in php (13) - Single-sign on php (12) - php single sign on (12) - SSO PHP (12) - session management single sign-on (12) - CAS single signout (12) - "single sign out" cas (11) - php5 "session timeout" (10) - session management in php5 (10) - session management for php5 (9) - signout & php (9) - sign out PHP (8) - php session logout (8) - SSO session timeout (8) - session management in sso (8) - +php +session +inactivity +timeout (8) - session management +php5 (7) - cas session management (7) - CAS single logout (7) - single-sign-on php session (7) - sso.php (7) - php session timeout inactivity (6) - php 5 session management (6) - single sign-out session timeout (6) - cas signout (6) - session expire php (6) - php session sign out (6) - phpcas session (5) - php sign out (5) - php sign in session (5) - single sign on and session management (5) - "sign out" session php (5) - single sign on session timeout (5) - external (5) - sso (5) - cpip php (5) - CPIP Single Sign On (5) - SESSION SSO (5) - Single Sign On Session Time out (5) - Single sign-on torrent (5) - php5 logout (5) - PHP5 SSO (5) - php session management (5) - SSO and session management (4) - net sso session management (4) - How to sign out in PHP (4) - nosheep net (4) - php session sso (4) - php session log out (4) - "CAS","Single sign out" (4) - single signout (4) - code for signout in php (4) - session sign out (4) - php 2 session (4) - session php5 (4) - single session login (4) - signout session (4) - php session expire (4) - sso session expires (4) - vs2005 session timeout (4) - sign out PHP session (4) - php session signout (4) - single sign on session handling (4) - CAS inactivity timeout (4) - phpcas timeout (4) - php session timer (4) - sign out session (3) - CAS timeout single sign on (3) - single sign on (3) - php5 session logout (3) - MySQL Signin Sign out session (3) - phpcas session timeout (3) - sso sign-out (3) - end a CAS Single Sign On Session (3) - session timeout + php (3) - external system of a sheep (3) - php sessions single sign on (3) - session management in vs.2005 (3) - single sign on php5 (3) - php session single sign on (3) - php5 session manager class (3) - common-session single sign on (3) - sso and session timeout (3) - sso signout (3) - sessions in single sign on (3) - session inactivity php (3) - CAS + CPIP (3) - sign out by php (3) - PHP session management library (3) - sso session +php (3) - php login session management (3) - php session out Timer (3) - single sign on by php (3) - luminis session management (3) - Single sign on sessions (3) - Session signout (3) - signout user session expire (3) - CAS sign out (3) - Session Management with PHP5 (3) - php5 "single sign on" (3) - sso sessions (3) - tag/sso (3) - single logout problem from portal (2) - session management logout problem (2) - session expire time out for SSO (2) - how to extend the timeout of session in php (2) - php 2 sessions (2) - session timeout VS2005 (2) - session log out php (2) - SSO and session (2) - CAS timeouts (2) - php+session+expire (2) - signle sign out problem (2) - session timeout in php5 (2) - login sessions and single sign on (2) - tag/yalecas (2) - cas vs cpip (2) - logging out of sessions in php (2) - php sign in sign out sessions (2) - extend sso expire time (2) - about session in single sign on (2) - php5 session (2) - php session expire inactivity (2) - acegi inactivity logout (2) - single sign-in versus sign-out (2) - cas single log out (2) - php session management inactivity (2) - sessions in net singout and signin in net (2) - single sign on session username (2) - cas sso signout (2) - single session php5 (2) - CAS 3 how to implement single sign out (2) - keyword (2) -