Re: [cas-user] Blackboard Integration

2014-03-17 Thread Peter Kirby 
I would be interested in this as well.  We started using CAS last year with
our portal, Ellucian's Banner, and Google Apps.  We've had to greatly
throttle back what services use CAS because it causes results that turned
out to be hard to explain to the end user.

Example:
If we let Google Apps logout of CAS and the user is still using the portal
or Banner, it causes the login screen to come up again in the middle of
their portal/Banner session.

If we do not let Google Apps logout of CAS, then the user clicks log out
which logs them out of Google Apps, but not CAS.  When the user goes to
Google Apps to sign in to a different account, they are still logged in to
CAS so they get SSO into Google, making it appear they cannot log out of
Google.

Our only solution was to take Google Apps off of CAS.

Are others facing similar situations?

Thanks.

--
Peter Kirby
System and Database Administrator @ Harding University
501-279-4727


On Mon, Mar 17, 2014 at 9:49 AM, Tim Raymond wrote:

> We are trying to integrate Bb with our shiny new CAS install.
>
> It appears the Bb building block for CAS creates an undesirable scenario
> whereby logging out of Bb will expire the entire CAS session.
>
> I am curious how other organizations have integrated CAS with Bb in a more
> flexible way.
>
> Thanks
>
>
>
> Tim Raymond
>
> Director, Central Applications
>
> Instructional and Information Technology
>
> California State Polytechnic University, Pomona
>
> Phone: 909.869.6851
>
> Cell: 909.260.3200
>
> Fax: 909.979.6406
>
>
>
> PGP Public Key:
> https://keyserver2.pgp.com/vkd/DownloadKey.event?keyid=0x2FDBD1EADDC19329
>
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: 
> lpki...@harding.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-17 Thread Richard Frovarp 
You probably want the logout of a single system to log the user out of 
CAS. Otherwise you could have surprising SSO's happen.

What you may want to do is disable single sign off. That is what is 
causing the logout of one system to log the user out of the other systems.


On 03/17/2014 11:14 AM, Peter Kirby wrote:
> I would be interested in this as well.  We started using CAS last year 
> with our portal, Ellucian's Banner, and Google Apps.  We've had to 
> greatly throttle back what services use CAS because it causes results 
> that turned out to be hard to explain to the end user.
>
> Example:
> If we let Google Apps logout of CAS and the user is still using the 
> portal or Banner, it causes the login screen to come up again in the 
> middle of their portal/Banner session.
>
> If we do not let Google Apps logout of CAS, then the user clicks log 
> out which logs them out of Google Apps, but not CAS.  When the user 
> goes to Google Apps to sign in to a different account, they are still 
> logged in to CAS so they get SSO into Google, making it appear they 
> cannot log out of Google.
>
> Our only solution was to take Google Apps off of CAS.
>
> Are others facing similar situations?
>
> Thanks.
>
> --
> Peter Kirby
> System and Database Administrator @ Harding University
> 501-279-4727
>
>
> On Mon, Mar 17, 2014 at 9:49 AM, Tim Raymond  > wrote:
>
> We are trying to integrate Bb with our shiny new CAS install.
>
> It appears the Bb building block for CAS creates an undesirable
> scenario whereby logging out of Bb will expire the entire CAS
> session.
>
> I am curious how other organizations have integrated CAS with Bb
> in a more flexible way.
>
> Thanks
>
> Tim Raymond
>
> Director, Central Applications
>
> Instructional and Information Technology
>
> California State Polytechnic University, Pomona
>
> Phone: 909.869.6851 
>
> Cell: 909.260.3200 
>
> Fax: 909.979.6406 
>
> PGP Public Key:
> https://keyserver2.pgp.com/vkd/DownloadKey.event?keyid=0x2FDBD1EADDC19329
>
> -- 
> You are currently subscribed tocas-u...@lists.jasig.org  
>   as:lpki...@harding.edu  
> 
> To unsubscribe, change settings or access archives, 
> seehttp://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> -- 
> You are currently subscribed to cas-user@lists.jasig.org as: 
> richard.frov...@ndsu.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-17 Thread Rex Roof 
I also debated this setting for blackboard.

one option we experimented with was to change the logout url to
/login?service=http://host/webpage-for-bb-logout.html

The side effect of this is a user might be prompted to login when they
click logout.  And after logging in, they will get a logout page.

ultimately we decided to send all users to /cas/logout




- Rex Roof
WCC Systems Engineer  
734-973-3478


On Mon, Mar 17, 2014 at 10:49 AM, Tim Raymond wrote:

> We are trying to integrate Bb with our shiny new CAS install.
>
> It appears the Bb building block for CAS creates an undesirable scenario
> whereby logging out of Bb will expire the entire CAS session.
>
> I am curious how other organizations have integrated CAS with Bb in a more
> flexible way.
>
> Thanks
>
>
>
> Tim Raymond
>
> Director, Central Applications
>
> Instructional and Information Technology
>
> California State Polytechnic University, Pomona
>
> Phone: 909.869.6851
>
> Cell: 909.260.3200
>
> Fax: 909.979.6406
>
>
>
> PGP Public Key:
> https://keyserver2.pgp.com/vkd/DownloadKey.event?keyid=0x2FDBD1EADDC19329
>
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as: r...@wccnet.edu
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-17 Thread Curtis Long 
We use Bb with CAS also, and disabled single sign out as Richard suggests.  We 
found that the CAS session timeouts could cause surprising (and to the user 
unpredictable) timeouts while still using Blackboard with SSO.  In particular, 
we do some testing through Bb and ran into CAS sessions timing out and logging 
students out of Bb in the middle of long tests...

We considered not having Bb sign users out of CAS, but I don't think that it is 
intuitive if you have a large loosely connected applications like Bb.  For 
example, a student logs out of Bb, and then types the URL to go back to the app 
directly (say a friend wants to login).  Since the CAS session would still be 
there, they would be automatically logged in as though they had never clicked 
'Log Out' with the same user?  May make sense if you have tighter integration 
going on, or good communication about closing browsers and cookie security, but 
something to consider.

Thank you,

Curtis Long
Unix Administrator
Durham College
T:  905-721-2000 x2714




From: Richard Frovarp [mailto:richard.frov...@ndsu.edu]
Sent: March-17-14 12:24 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Blackboard Integration

You probably want the logout of a single system to log the user out of CAS. 
Otherwise you could have surprising SSO's happen.

What you may want to do is disable single sign off. That is what is causing the 
logout of one system to log the user out of the other systems.


On 03/17/2014 11:14 AM, Peter Kirby wrote:
I would be interested in this as well.  We started using CAS last year with our 
portal, Ellucian's Banner, and Google Apps.  We've had to greatly throttle back 
what services use CAS because it causes results that turned out to be hard to 
explain to the end user.

Example:
If we let Google Apps logout of CAS and the user is still using the portal or 
Banner, it causes the login screen to come up again in the middle of their 
portal/Banner session.

If we do not let Google Apps logout of CAS, then the user clicks log out which 
logs them out of Google Apps, but not CAS.  When the user goes to Google Apps 
to sign in to a different account, they are still logged in to CAS so they get 
SSO into Google, making it appear they cannot log out of Google.

Our only solution was to take Google Apps off of CAS.

Are others facing similar situations?

Thanks.

--
Peter Kirby
System and Database Administrator @ Harding University
501-279-4727

On Mon, Mar 17, 2014 at 9:49 AM, Tim Raymond 
mailto:tjraym...@csupomona.edu>> wrote:
We are trying to integrate Bb with our shiny new CAS install.
It appears the Bb building block for CAS creates an undesirable scenario 
whereby logging out of Bb will expire the entire CAS session.
I am curious how other organizations have integrated CAS with Bb in a more 
flexible way.
Thanks

Tim Raymond
Director, Central Applications
Instructional and Information Technology
California State Polytechnic University, Pomona
Phone: 909.869.6851
Cell: 909.260.3200
Fax: 909.979.6406

PGP Public Key: 
https://keyserver2.pgp.com/vkd/DownloadKey.event?keyid=0x2FDBD1EADDC19329


--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
lpki...@harding.edu<mailto:lpki...@harding.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--

You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
richard.frov...@ndsu.edu<mailto:richard.frov...@ndsu.edu>

To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user


--
You are currently subscribed to 
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: 
curtis.l...@dc-uoit.ca<mailto:curtis.l...@dc-uoit.ca>
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-17 Thread Paul B. Henson 
> From: Richard Frovarp
> Sent: Monday, March 17, 2014 9:24 AM
>
> You probably want the logout of a single system to log the user out of CAS.
> Otherwise you could have surprising SSO's happen.

I dunno, it seems it would kind of defeat the purpose of "single sign-on", if 
every time you stop using a single application you've got to sign on again to 
use a different one...

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-17 Thread Paul B. Henson 
> From: Curtis Long [mailto:curtis.l...@dc-uoit.ca]
> Sent: Monday, March 17, 2014 9:49 AM
>
> We considered not having Bb sign users out of CAS, but I don't think that it 
> is
> intuitive if you have a large loosely connected applications like Bb.  For
> example, a student logs out of Bb, and then types the URL to go back to the
> app directly (say a friend wants to login).  Since the CAS session would 
> still be
> there, they would be automatically logged in as though they had never
> clicked 'Log Out' with the same user?  May make sense if you have tighter
> integration going on, or good communication about closing browsers and
> cookie security, but something to consider.

Don't almost all web apps say something along the lines of "you have been 
logged out of your session, please close your browser to complete the log out 
and maintain security"?

Ideally each application session logout page could be updated with a note 
describing that a single sign-on session is still in force and provide a 
separate link to log out of CAS if so desired. I think it pretty much breaks 
SSO if any application you stop using destroys your central  SSO session.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-17 Thread Richard Frovarp 

On 03/17/2014 04:02 PM, Paul B. Henson wrote:

From: Richard Frovarp
Sent: Monday, March 17, 2014 9:24 AM

You probably want the logout of a single system to log the user out of CAS.
Otherwise you could have surprising SSO's happen.

I dunno, it seems it would kind of defeat the purpose of "single sign-on", if 
every time you stop using a single application you've got to sign on again to use a 
different one...



But it isn't stop using an application (unless a timeout there forces a 
logout of CAS). It's actually logging out of the application, and the 
user desiring to remove their access to the system. What good is logging 
out of an application if the only step required to get back in is 
clicking the login button?


The SSO piece still works if the user enters in new URLs, or clicks 
through links between different applications.


A surprising SSO is you logging out of a website, me sitting down, 
clicking login, and then being you. That isn't the point of SSO.


Google works in a similar manner, except that they implement single sign 
off between their systems as well.


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-17 Thread Paul B. Henson 
> From: Richard Frovarp
> Sent: Monday, March 17, 2014 2:19 PM
>
> But it isn't stop using an application (unless a timeout there forces a
> logout of CAS). It's actually logging out of the application, and the
> user desiring to remove their access to the system. What good is logging
> out of an application if the only step required to get back in is
> clicking the login button?

Consider two scenarios:

1) You have a single sign-on session, access blackboard, and then log out of 
blackboard, but retain your single sign-on session. You then click back to 
blackboard, and are transparently logged back in.

2) You have a single sign-on session, but gained from accessing some other 
application, you have had absolutely no interaction with blackboard at all. You 
click on a blackboard link, and are transparently logged in.

Is #1 surprising, but #2 is not? They are both inherent artifacts of having a 
valid single sign-on session.

> A surprising SSO is you logging out of a website, me sitting down,
> clicking login, and then being you. That isn't the point of SSO.

There are really two ways to look at "SSO". The first is that you simply use 
the same username/password pair for every single service, even if you have to 
authenticate separately to them. The second is that you authenticate once, and 
then can access every service without authenticating again.

Which one are you trying to implement? Because if you are trying to implement 
the latter, then having an application "logout" destroy your single sign-on 
session is what would be surprising.

Basically, in the context of a global single sign-on session providing access 
to all applications, the concept of "logging out" of a particular application 
is no longer valid. Either you are "logged in" to everything, or you are 
"logged out" of everything. And it seems the proper solution isn't to have any 
single application destroy the entire session, but rather stop having 
"application" logouts, and instead have each individual application logout page 
go to a central CAS page where a user can select to destroy their session or 
not.



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-17 Thread Richard Frovarp 
On Mon, Mar 17, 2014 at 6:44 PM, Paul B. Henson wrote:

> > From: Richard Frovarp
> > Sent: Monday, March 17, 2014 2:19 PM
> >
> > But it isn't stop using an application (unless a timeout there forces a
> > logout of CAS). It's actually logging out of the application, and the
> > user desiring to remove their access to the system. What good is logging
> > out of an application if the only step required to get back in is
> > clicking the login button?
>
> Consider two scenarios:
>
> 1) You have a single sign-on session, access blackboard, and then log out
> of blackboard, but retain your single sign-on session. You then click back
> to blackboard, and are transparently logged back in.
>
> 2) You have a single sign-on session, but gained from accessing some other
> application, you have had absolutely no interaction with blackboard at all.
> You click on a blackboard link, and are transparently logged in.
>
> Is #1 surprising, but #2 is not? They are both inherent artifacts of
> having a valid single sign-on session.
>

Imagine this scenario. You are logged into Blackboard, you click logout.
You get up, another person sits down at that same machine with the same
browser session. They click login. They are now you. Perhaps you even leave
the room. Would you expect that person to become you after clicking logout?
We had that happen on one of our systems that was of extremely low security
concern, and was reported to us. In essence they could have generated a
guest wireless pass as someone else. In fact the person that discovered it
didn't even have access to the system in question at the time using their
account.


>
> > A surprising SSO is you logging out of a website, me sitting down,
> > clicking login, and then being you. That isn't the point of SSO.
>
> There are really two ways to look at "SSO". The first is that you simply
> use the same username/password pair for every single service, even if you
> have to authenticate separately to them. The second is that you
> authenticate once, and then can access every service without authenticating
> again.
>

There is SINGLE sign on (SSO) and SAME sign on. The second is same sign on.


>
> Which one are you trying to implement? Because if you are trying to
> implement the latter, then having an application "logout" destroy your
> single sign-on session is what would be surprising.
>

In my case both. I don't know about the original poster. Authentication to
computer via the AD domain is a type of SSO that share a same sign on with
CAS (which is also an SSO at time, and a same sign on at other times). In
our case we don't even use AD for CAS, but rather go through an MIT
Kerberos.



>
> Basically, in the context of a global single sign-on session providing
> access to all applications, the concept of "logging out" of a particular
> application is no longer valid. Either you are "logged in" to everything,
> or you are "logged out" of everything. And it seems the proper solution
> isn't to have any single application destroy the entire session, but rather
> stop having "application" logouts, and instead have each individual
> application logout page go to a central CAS page where a user can select to
> destroy their session or not.
>
>
>
I certainly get your point, and it may work for your users. It's not going
to work for everyone. Unless Google, Microsoft, or Facebook are doing it,
it will be difficult for my users to follow that train of actions. But I'll
readily admit that we're behind the curve when it comes to SSO, and we're
largely using CAS for same sign on.

The original problem was with single sign off triggered by session
expiration. Where a session timeout from one application triggered an
automatic logout of that application, which then triggered a logout of CAS,
which then triggered a timeout of another system, in this case Blackboard.
It is entirely unexpected for one timeout to trickle it's way through other
active applications. However, Google does appear to have a single sign out
when the logout button is clicked.

The idea is to implement the system to fit the needs of your institution.
Single sign off is certainly not one of them for us, and I suspect that
many other schools would find the same, especially if session timeouts are
going to trigger them.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-17 Thread Richard Frovarp 
On Mon, Mar 17, 2014 at 6:44 PM, Paul B. Henson wrote:

>
> Basically, in the context of a global single sign-on session providing
> access to all applications, the concept of "logging out" of a particular
> application is no longer valid. Either you are "logged in" to everything,
> or you are "logged out" of everything. And it seems the proper solution
> isn't to have any single application destroy the entire session, but rather
> stop having "application" logouts, and instead have each individual
> application logout page go to a central CAS page where a user can select to
> destroy their session or not.
>
>
One other thought. Your proposed method may end up essentially being a "Do
you really want to logout?" sort of system. If the typical workflow for
most of the users is to be logged into one application, then logout and be
done, it becomes are "Do you really want to logout?" type system. If they
are typically logged into multiple CAS based services at a time, then it
has the flavor you are after. It really comes down to the average workflow
of your users.

Of course I'm the type of person that disables the recycle bin on Windows.
I never got deleting a file twice, rm is so much nicer. So my view of
verify my logout probably doesn't follow what a normal person would think.

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-18 Thread Paul B. Henson 
> From: Richard Frovarp
> Sent: Monday, March 17, 2014 5:36 PM
>
> Imagine this scenario. You are logged into Blackboard, you click logout. You
> get up, another person sits down at that same machine with the same
> browser session.

I'm not familiar with the specifics of the blackboard "logout" page, but almost 
every single web app I've ever used, when you click on the logout button, takes 
you to a page saying you are logged out and that you should close your web 
browser for security purposes, or to clear your session, or for whatever.

If the blackboard page says something like that, and the user did not close the 
web browser, then I guess they got what they deserved. If the blackboard page 
does not say something like that, then it should, as regardless of the state of 
CAS there is potentially sensitive data in the cache or cookie store that might 
be accessible before the browser is closed.

> There is SINGLE sign on (SSO) and SAME sign on. The second is same sign on.

Wikipedia disagrees with you:

http://en.wikipedia.org/wiki/Single_sign-on

"Single sign-on (SSO) is a property of access control of multiple related, but 
independent software systems. With this property a user logs in once and gains 
access to all systems without being prompted to log in again at each of them."

As does the open group, although their relevance nowadays might be questionable:

http://www.opengroup.org/security/sso/

"Single sign-on (SSO) is mechanism whereby a single action of user 
authentication and authorization can permit a user to access all computers and 
systems where he has access permission, without the need to enter multiple 
passwords."

I'd never heard of "Same Sign-On" before, from the few Google hits that result 
from searching for it it appears to be some terminology Microsoft made up. They 
seem to like co-opting acronyms, I remember when we were running DCE/DFS and 
they introduced their "Dfs" product...

> The idea is to implement the system to fit the needs of your institution.
> Single sign off is certainly not one of them for us, and I suspect that many
> other schools would find the same, especially if session timeouts are going
> to trigger them.

We have single sign off disabled as well, that's actually recommendation in the 
default CAS config.

I agree in any case that this is a bit of a complicated subject, and the 
intersection of the technology with the usual caveats of training users is 
going to be a bit of a mess .


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-18 Thread Paul B. Henson 
> From: Richard Frovarp
> Sent: Monday, March 17, 2014 5:46 PM
>
> One other thought. Your proposed method may end up essentially being a
> "Do you really want to logout?" sort of system. If the typical workflow for
> most of the users is to be logged into one application, then logout and be
> done, it becomes are "Do you really want to logout?" type system. If they
> are typically logged into multiple CAS based services at a time, then it has 
> the
> flavor you are after. It really comes down to the average workflow of your
> users.

The powers that be here are planning to deploy uPortal, and pretty much make 
every other service subservient to it, whether through portlets or by only 
putting the link to the service on uPortal. So I think at least at our site you 
will be guaranteed to be logged into at least two applications, uPortal and 
what ever you actually wanted to use...


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-18 Thread Richard Frovarp 

On 03/18/2014 04:10 PM, Paul B. Henson wrote:



There is SINGLE sign on (SSO) and SAME sign on. The second is same sign on.

Wikipedia disagrees with you:

http://en.wikipedia.org/wiki/Single_sign-on

"Single sign-on (SSO) is a property of access control of multiple related, but 
independent software systems. With this property a user logs in once and gains access to 
all systems without being prompted to log in again at each of them."


That's not necessarily disagreeing with me. That's describing true SSO, 
because user's aren't prompted.




As does the open group, although their relevance nowadays might be questionable:

http://www.opengroup.org/security/sso/

"Single sign-on (SSO) is mechanism whereby a single action of user authentication 
and authorization can permit a user to access all computers and systems where he has 
access permission, without the need to enter multiple passwords."


That too sounds like true single sign-on.



I'd never heard of "Same Sign-On" before, from the few Google hits that result from 
searching for it it appears to be some terminology Microsoft made up. They seem to like co-opting 
acronyms, I remember when we were running DCE/DFS and they introduced their "Dfs" 
product...



It is a Microsoft term, but there needs to be a term for this. So I use 
theirs, as it makes the most sense to me. If you use the same 
credentials to login to two completely different places (and the same 
credentials are by design), I call that same sign on. I steadfastly 
refuse to use the SSO acronym or single sign on term for any system that 
asks for credentials again.


I deal with another entity that insists on using the term and acronym, 
stating that the same AD object is in use, so it is single sign on. This 
of course ignores that one system uses the samAccountName, another uses 
the email attribute, and another uses the UPN with required domain suffix.


--
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-18 Thread Paul B. Henson 
> From: Richard Frovarp
> Sent: Tuesday, March 18, 2014 2:41 PM
>
> That's not necessarily disagreeing with me. That's describing true SSO,
> because user's aren't prompted.
[...]
> theirs, as it makes the most sense to me. If you use the same
> credentials to login to two completely different places (and the same
> credentials are by design), I call that same sign on. I steadfastly
> refuse to use the SSO acronym or single sign on term for any system that
> asks for credentials again.

It seems we had a communications breakdown, as I said:

"There are really two ways to look at "SSO". The first is that you simply use 
the
same username/password pair for every single service, even if you have to   
authenticate separately to them. The second is that you authenticate once, and  
then can access every service without authenticating again."

You then said:

"There is SINGLE sign on (SSO) and SAME sign on. The second is same sign on."

However, in my description, the "second" was the one where you authenticate 
once, and then not again.

So it sounds like we agree on SSO, but simply failed to successfully negotiate 
the description ;).


-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-19 Thread Rex Roof 
this points out a very frustrating issue with blackboard's default CAS
implementation:
you either 1) get SSO but are forced to do cas logout,
or 2) you aren't forced to do cas logout but the user has to type their
password when they use CAS to access blackboard.



- Rex Roof
WCC Systems Engineer  
734-973-3478


On Tue, Mar 18, 2014 at 7:57 PM, Paul B. Henson wrote:

> > From: Richard Frovarp
> > Sent: Tuesday, March 18, 2014 2:41 PM
> >
> > That's not necessarily disagreeing with me. That's describing true SSO,
> > because user's aren't prompted.
> [...]
> > theirs, as it makes the most sense to me. If you use the same
> > credentials to login to two completely different places (and the same
> > credentials are by design), I call that same sign on. I steadfastly
> > refuse to use the SSO acronym or single sign on term for any system that
> > asks for credentials again.
>
> It seems we had a communications breakdown, as I said:
>
> "There are really two ways to look at "SSO". The first is that you simply
> use the
> same username/password pair for every single service, even if you have to
> authenticate separately to them. The second is that you authenticate once,
> and
> then can access every service without authenticating again."
>
> You then said:
>
> "There is SINGLE sign on (SSO) and SAME sign on. The second is same sign
> on."
>
> However, in my description, the "second" was the one where you
> authenticate once, and then not again.
>
> So it sounds like we agree on SSO, but simply failed to successfully
> negotiate the description ;).
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as:
> r...@wccnet.edu
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

RE: [cas-user] Blackboard Integration

2014-03-19 Thread Paul B. Henson 
> From: Rex Roof
> Sent: Wednesday, March 19, 2014 7:31 AM
>
> this points out a very frustrating issue with blackboard's default CAS
> implementation:
> you either 1) get SSO but are forced to do cas logout,
> or 2) you aren't forced to do cas logout but the user has to type their
> password when they use CAS to access blackboard.

I'm sure anybody who's ever actually used blackboard is quite used to being 
frustrated 8-/.

Our blackboard admin forwarded me a thread from the blackboard administrators 
mailing list about this. Evidently somebody asked blackboard to fix it, so you 
could change those two settings independently, and they said the customization 
fees blackboard wanted were prohibitively expensive. Seriously? Update the GUI 
not to grey out one checkbox when the other one isn't selected?

Blackboard sucks. I wish we would switch to Moodle...



-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Re: [cas-user] Blackboard Integration

2014-03-19 Thread Rex Roof 
I think the path of least resistance would be to build and use this module:
 https://github.com/Unicon/cas-blackboard-learn
and configure it inside the authentication.properties.



- Rex Roof
WCC Systems Engineer  
734-973-3478


On Wed, Mar 19, 2014 at 3:27 PM, Paul B. Henson wrote:

> > From: Rex Roof
> > Sent: Wednesday, March 19, 2014 7:31 AM
> >
> > this points out a very frustrating issue with blackboard's default CAS
> > implementation:
> > you either 1) get SSO but are forced to do cas logout,
> > or 2) you aren't forced to do cas logout but the user has to type their
> > password when they use CAS to access blackboard.
>
> I'm sure anybody who's ever actually used blackboard is quite used to
> being frustrated 8-/.
>
> Our blackboard admin forwarded me a thread from the blackboard
> administrators mailing list about this. Evidently somebody asked blackboard
> to fix it, so you could change those two settings independently, and they
> said the customization fees blackboard wanted were prohibitively expensive.
> Seriously? Update the GUI not to grey out one checkbox when the other one
> isn't selected?
>
> Blackboard sucks. I wish we would switch to Moodle...
>
>
>
> --
> You are currently subscribed to cas-user@lists.jasig.org as:
> r...@wccnet.edu
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>

-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user