Shibboleth Developers

["David L. Wasley" <>]

One of our campuses has a similar requirement for "user initiated 
total logout".  However, that's quite different than a timeout that 
forces such a total logout.  I think such timeouts should be done by 
the apps if they need it.

A validity period for an ISO is probably a good thing but it doesn't 
mean that sessions already established must be terminated - merely 
that new sessions can't be started without reauthN.  Presumably the 
authN was valid when the existing sessions started.

I do think that a user initiated "total logout" is a useful feature.

        David

-----
At 1:51 AM -0700 on 7/3/04, Chad La Joie wrote:

> We actually do something a bit different.  Our WebISO can be aware 
> of whether you logged in from a "public" system or a "private" one 
> and adjust the session time outs accordingly.  The reason we try to 
> force this session timeout is because a lot of apps don't do it or 
> have way to long of a timeout.  So this sort of model allows us to 
> impose better practices then might otherwise be followed.  The other 
> reason, and probably the more important one for this discussion, is 
> that if a user clicks the "log me out of everything" link that 
> appears in our webapps, the WebISO needs a way to tell all the apps 
> a user is logged into to log that user out.
>
> Now, as I said, if an app doesn't want to have our WebISO tell it 
> when to log a user out, for whatever reason, it can simply drop the 
> message and do nothing.  I think though that you really want the 
> ability to do this.  We got hammered on this issue for a while by 
> our users because they wanted to see it.  It was kind of the thought 
> that single sign-on is supposed to make their lives easier, so make 
> it as easy as possible by going this extra step.
>
> David L. Wasley wrote: