I have found that ssoEnabled set to false does not have quite the effect we were thinking it did. When I set a service to not allow SSO participation it does force the user to enter user name and password each time they try to access the service (ie. Get a service ticket), which is fine. The problem is that I thought that also caused it to not generate a TGT so that other services could get STs based on a TGT obtained already. We have an application (at least one) that does not have any session management or logout. Our policy for SLO is that when any application participating in SSO logs out then all SSO application sessions are logged out. This is to prevent a user from walking away from a PC in a lab leaving any SSO sessions active that someone else could hijack. So, for this application that has no means for the user to log out (depends on user closing browser which doesn't always happen), we don't want authentication for this one app to enable SSO for any other applications. That is, when they authenticate via CAS for this app we don't want a TGT generated (or we want the TGT destroyed right after the ST is created/validated).
Is this possible? Can we cause authentication for a single service to apply only to that service? Thanks. Ted F. Fisher Information Technology Services Bowling Green State University -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
