We already had to turn off SLO because of that issue between tabs (people would log into Luminis in one tab and Canvas in another, and get kicked out of Canvas when Luminis timed out). My position is that this was The Wrong Thing To Do, but the problem is that our CAS 3.x deployment always had it turned off (thanks, Ellucian) and so now that's what everything considers "normal."
It seems to me the easiest way to just avoid the whole issue would be to simply use Browser X for Banner 9 and Browser Y for everything else, but what do I know? :-) --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu On Fri, Nov 2, 2018 at 2:57 PM Matthew Uribe <matthew.ur...@aims.edu> wrote: > Hi David, > > FWIW we've been on Banner 9 for a little over a year, and we advise users > not to have multiple tabs open. The issue we see is that one tab will "time > out" even though the users are actively entering data in another tab. It > can be rather frustrating. I'm not sure if your unchecking the "participate > in sso" will make a difference either, since the timeout just calls the > cas/logout endpoint resulting in the destruction of the TGTs. You may at > least want to revisit the timeout values for AppNav, etc... > > Matt > > On Friday, November 2, 2018 at 12:13:39 PM UTC-6, David Curry wrote: >> >> Actually, I think my problem in this case was using mod_auth_cas to test >> it. Maybe that little cookie cache it has was affecting the results. >> >> When we unchecked the "participate in sso" access strategy for the >> actual application in question (Banner 9), it started behaving the way they >> wanted. Subject to more exhaustive testing, anyway. >> >> I know all about how the cookies work and so on. But those technical >> details are completely irrelevant to business people who just want the new >> version (using CAS) to work like the old version (not using CAS). >> >> Thanks for everyone's suggestions, though. >> >> --Dave >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> +1 212 229-5300 x4728 • david.cu...@newschool.edu >> >> >> >> >> On Fri, Nov 2, 2018 at 1:52 PM Ray Bon <rb...@uvic.ca> wrote: >> >>> I agree with Christian on this. Cookies exist in a browser instance, not >>> a tab instance; in some cases a new window is still not enough. >>> It sounds like your client does not understand how web browser >>> technology works. >>> >>> You could always offer to build a custom browser ;) >>> >>> Ray >>> >>> On Fri, 2018-11-02 at 13:01 -0400, David Curry wrote: >>> >>> Well, If I had my way, we wouldn't be doing it at all. :-) >>> >>> But one of the business units here wants their application to (a) use >>> the "standard" login page provided by the CAS server but (b) prompt for >>> credentials every time you open a tab/window and go to it. "But that's not >>> single sign-on," I say. "But it's what we want," they say. Sigh. >>> >>> --Dave >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>> >>> >>> >>> >>> On Fri, Nov 2, 2018 at 12:31 PM Christian Poirier <chris...@gmail.com> >>> wrote: >>> >>> Hi Dave >>> >>> I think the better way to do this is to open a new instance of your >>> browser application instead of open a new tab. The new tab is in the same >>> context of your first tab and then using the same authentication cookie. If >>> you want CAS as you mention, you lose the essential use of a SSO. If you're >>> renew for the follwoing tab, you will lose the authentication of the first >>> tab. >>> >>> Christian Poirier >>> Université TÉLUQ >>> Québec, QC CANADA >>> >>> >>> Le ven. 2 nov. 2018, à 10 h 41, David Curry <david...@newschool.edu> a >>> écrit : >>> >>> >>> Can I force a service to authenticate every time from the CAS server >>> side, e.g., by setting something in the service registry? Basically, I want >>> to mimic the behavior of "&renew=true" but not have to change anything on >>> the client side. >>> >>> I thought setting "accessStrategy.ssoEnabled: false" in the service >>> registry entry would do this, but in testing this morning, it appears >>> that's not the case. That setting forces the service to prompt for login >>> even if you've signed into something else through CAS, but it doesn't >>> require you to re-enter your credentials every time you access the same >>> service. What I want is "Open tab, go to X, enter credentials. Open another >>> tab, go to X again, have to enter credentials again." >>> >>> CAS 5.2.x, BTW. >>> >>> Thanks, >>> --Dave >>> >>> -- >>> >>> DAVID A. CURRY, CISSP >>> *DIRECTOR OF INFORMATION SECURITY* >>> INFORMATION TECHNOLOGY >>> >>> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >>> +1 212 229-5300 x4728 • david.cu...@newschool.edu >>> >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAO0A_FHTayuNX25UxC0rpY2DPzy5_d1xuyk%3DVSfCqR18g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XAnSc3604EUQLPe0qGf71UnDdDJG%2B-Wrqm6RsCVYgO5o9g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> Ray Bon >>> Programmer analyst >>> Development Services, University Systems >>> 2507218831 | CLE 019 | rb...@uvic.ca >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to cas-user+u...@apereo.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1541181137.2870.97.camel%40uvic.ca >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1541181137.2870.97.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>> . >>> >> -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a59cf1e-2452-4151-b486-cfbdea5b0d9a%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a59cf1e-2452-4151-b486-cfbdea5b0d9a%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAOg-zZ8vMRow8HNy7Bfzw%2Bs7eRa-aJ-_WDwhd_93wXhqA%40mail.gmail.com.
