Hi Jérôme Thanks very much for your feedback.
I guess we will logout the user from CAS, but keep the user signed in at the service where he/she changed the ID. But I am not sure yet whether this will have some unexpected side-effects and need to sleep over it :-) Michael Am 13.01.14 14:47, schrieb Jérôme LELEU: > Hi, > > We decided to force users to logout as the "safest and simplest" solution > for us. > Best regards, > Jérôme > > > > 2014/1/13 Michael Wechner <michael.wech...@wyona.com> > >> Hi >> >> We have two services which a user has access to, whereas as login ID we >> use the email address of the user. >> Since the email address of a user can change, the user can change the >> email address inside the service as follows: >> >> - First the user signs in to the first service (service1) with >> 'o...@foo.bar' and changes his/her email inside this service to >> 'n...@foo.bar', but which means the email address will also be changed on >> the backend/identity-management, BUT (currently) not inside CAS itself >> >> - The user decides to go to the other service (service2), but because >> the user already has a valid session with CAS, he/she does not have to >> provide the (new) credentials again, but the login request >> >> >> https://my.cas/cas-server-webapp-3.5.2/login?service=https://service2/index.html >> >> will return >> >> <?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse >> xmlns:cas="http://www.yale.edu/tp/cas"> >> <cas:authenticationSuccess> >> <cas:user>o...@foo.bar</cas:user> >> >> which means in the case of service2 the user is signed in with the old >> username, which does not work anymore with the backend. >> >> My question is whether there are any recommended ways to handle such a >> situation? At the moment I can see the following possibilities: >> >> - Force logout after the user has changed the email address, and hence >> user has to sign-in again with new email address >> - Update the login ID inside CAS somehow (but I guess that's not >> possible for security reasons) >> - Provide some mapping from old to new email address, such that during >> the same session also the old email is still valid. >> >> I have been searching quite a bit for similar topics, but have not found >> anything really, hence any hints/feedback is much appreciated. >> >> Thanks >> >> Michael >> >> -- >> You are currently subscribed to cas-user@lists.jasig.org as: >> lel...@gmail.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user