Hi, Our way : everytime a user change something in his management application, we display a message like "Your change will be taken into account only after logout. Please click this link to logout". And the user is logged out from all applications including the management one. Best regards, Jérôme
2014/1/13 Michael Wechner <michael.wech...@wyona.com> > Hi Jérôme > > Thanks very much for your feedback. > > I guess we will logout the user from CAS, but keep the user signed in at > the service where he/she changed the ID. > But I am not sure yet whether this will have some unexpected > side-effects and need to sleep over it :-) > > Michael > > Am 13.01.14 14:47, schrieb Jérôme LELEU: > > Hi, > > > > We decided to force users to logout as the "safest and simplest" solution > > for us. > > Best regards, > > Jérôme > > > > > > > > 2014/1/13 Michael Wechner <michael.wech...@wyona.com> > > > >> Hi > >> > >> We have two services which a user has access to, whereas as login ID we > >> use the email address of the user. > >> Since the email address of a user can change, the user can change the > >> email address inside the service as follows: > >> > >> - First the user signs in to the first service (service1) with > >> 'o...@foo.bar' and changes his/her email inside this service to > >> 'n...@foo.bar', but which means the email address will also be changed > on > >> the backend/identity-management, BUT (currently) not inside CAS itself > >> > >> - The user decides to go to the other service (service2), but because > >> the user already has a valid session with CAS, he/she does not have to > >> provide the (new) credentials again, but the login request > >> > >> > >> > https://my.cas/cas-server-webapp-3.5.2/login?service=https://service2/index.html > >> > >> will return > >> > >> <?xml version="1.0" encoding="UTF-8"?><cas:serviceResponse > >> xmlns:cas="http://www.yale.edu/tp/cas";> > >> <cas:authenticationSuccess> > >> <cas:user>o...@foo.bar</cas:user> > >> > >> which means in the case of service2 the user is signed in with the old > >> username, which does not work anymore with the backend. > >> > >> My question is whether there are any recommended ways to handle such a > >> situation? At the moment I can see the following possibilities: > >> > >> - Force logout after the user has changed the email address, and hence > >> user has to sign-in again with new email address > >> - Update the login ID inside CAS somehow (but I guess that's not > >> possible for security reasons) > >> - Provide some mapping from old to new email address, such that during > >> the same session also the old email is still valid. > >> > >> I have been searching quite a bit for similar topics, but have not found > >> anything really, hence any hints/feedback is much appreciated. > >> > >> Thanks > >> > >> Michael > >> > >> -- > >> You are currently subscribed to cas-user@lists.jasig.org as: > >> lel...@gmail.com > >> To unsubscribe, change settings or access archives, see > >> http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > lel...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
