Information Technology Reference
In-Depth Information
A common knee-jerk response to this security problem is to demand
implementation of “Single Sign-Out”. In effect, the global login session is to
be terminated when the user finishes up with the individual business
application in question. Indeed, CAS has a simple mechanism to invalidate
the SSO token, so “Single Sign-Out” is very easy to implement. However, this
sledgehammer approach is quite a nuisance, because the user will then have
to log in again to access any other application. Single Sign-Out negates the
benefits of Single Sign-On! We may as well have stayed with standalone
applications and just used a centralised user directory for authentication and
authorisation.
We believe that the most pragmatic approach is to rely on old-fashioned
workstation timeouts at the operating system level to lock the user's
workstation itself after a certain period of inactivity. This narrows the
window available for opportunistic access to passers-by. It is also the generic
solution to protect applications, because it is in any case impossible to
enforce a rule that users must log out of sensitive applications before leaving
their workstations.
A combination of workstation timeouts and education about the
implications of Single Sign-On is the most practical solution to this security
issue.
Search WWH ::




Custom Search