Blackboard Ultra

[Michael O Holstein]

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random users are telling us it times out of them. While I suspect this is an issue of opening the app, letting it sit for 2 hours, and then noticing their session went away (which should re-auth as the TGT is still valid on our end).

Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered default.

Thanks,

Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

[Richard Frovarp]

Do you have a logout URL configured? Best I know is that when a session expires in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, which would kill your TGT.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com.

[Ray Bon]

Michael,

Default lifetime of a TGT is 2h. See https://apereo.github.io/cas/5.2.x/installation/Configuring-Ticket-Expiration-Policy.html

The TGT may still be present in the ticket store, depends on the storage mechanism.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Ray Bon]

I certainly hope that Bb is not sending a logout request to CAS when 'its' session expires (not user initiated). That would single logout the user out of all services (that participate in SLO) regardless of CAS settings ==> unhappy users & confused administrators.

Ray

[Richard Frovarp]

I think that they are. From my recollection that was what came up on the Bb admin list a couple of years ago. You have to specify a logout URL, and it sends the user to it after it kills its own session. People are providing the IdP logout URL, so that kicks it off. My suggestion would be to provide a different logout URL other than the IdP.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca.

[Bryan Wooten]

"I certainly hope that Bb is not sending a logout request to CAS when 'its' session expires (not user initiated). That would single logout the user out of all services (that participate in SLO) regardless of CAS settings ==> unhappy users & confused administrators."

This topic begs the question: What does logout mean in an SSO world? Logout of a single app or logout of SSO (all apps in the SSO session).

In an SSO environment if you logout of a single app but not the SSO session, then if you go back to the app you get straight in because the SSO session is still valid.

Now individual apps a can mitigate this by setting "renew = true", but that somewhat defeats the purpose of SSO does it not?

We have 500 servers in our CAS service registry and 90 using Shib (using CAS for authentication). CAS includes on prem apps and cloud apps (off prem)

As the CAS / Shib admin I cannot control how all the servers will react. They may or not listen/respond to logout messages, heck they even maintain their own session cookies for SLO/timeout.

It is a mess and has been since as long as my first IAM conference.

What does SLO/Logout even mean? Is it even possible to enforce any policy? Let's not even address aggressive caching by browsers across tabs / windows / instances.

I gave up trying years ago, it is what it is.

Logout to me means the following steps:

1. Click logout.

2. Clear cache/cookies

3. Power off computer

4. Shoot computer with 12 gauge shotgun

5. Throw computer into nearest lake/ocean/river.

Without all those steps I don't believe you are "logged out".

On Tue, Jan 30, 2018 at 4:27 PM, Richard Frovarp <richard...@ndsu.edu> wrote:

I think that they are. From my recollection that was what came up on the Bb admin list a couple of years ago. You have to specify a logout URL, and it sends the user to it after it kills its own session. People are providing the IdP logout URL, so that kicks it off. My suggestion would be to provide a different logout URL other than the IdP.

On 01/30/2018 11:38 AM, Ray Bon wrote:

I certainly hope that Bb is not sending a logout request to CAS when 'its' session expires (not user initiated). That would single logout the user out of all services (that participate in SLO) regardless of CAS settings ==> unhappy users & confused administrators.

Ray

On Tue, 2018-01-30 at 09:42 -0600, Richard Frovarp wrote:

Do you have a logout URL configured? Best I know is that when a session expires in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, which would kill your TGT.

On 01/30/2018 07:08 AM, Michael O Holstein wrote:

We recently moved onto Blackboard's SaaS offering (aka "Ultra") and random users are telling us it times out of them. While I suspect this is an issue of opening the app, letting it sit for 2 hours, and then noticing their session went away (which should re-auth as the TGT is still valid on our end).

Anyone else seen this? How'd you fix it? Our TGT/ST lifetimes are as-delivered default.

Thanks,

Michael Holstein CISSP

Mgr. Network  & Data Security

Cleveland State University

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CO2PR0801MB6478C3DA610FAD823AD852283E40%40CO2PR0801MB647.namprd08.prod.outlook.com.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0-9cf13f95132d%40ndsu.edu.

[Michael O Holstein]

I'm not sure what BB is doing, but in looking through this cluster@#%# of javascript I do see the variable "globalLogoutEnabled=true" set various places.

Note : in memcached I'm seeing this happen .. transactions below are over the course of 9 seconds. I suspect this is them but asked the list because it's not like Blackboard and CAS are rare in the .edu circle.

-Mike

ST values removed ..

<29 ADD ST-135206-xxx-casvm2 Value len is 1865

<29 GET ST-135206-xxx-casvm2

<29 REPLACE ST-135206-xxx-casvm2 Value len is 1870  <--- WHY?

Deleting ST-135206-xxx-casvm2

<29 GET ST-135206-xxx-casvm2 <-- fails

<29 GET ST-135206-xxx-casvm2 <-- fails

<29 GET ST-135206-xxx-casvm2 <-- fails

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Tuesday, January 30, 2018 12:38:04 PM
To: cas-...@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1517333882.1782.42.camel%40uvic.ca.

[Michael O Holstein]

> Do you have a logout URL configured? Best I know is that when a session expires in Bb, it kills the Bb session, then sends the browser to the IdP logout URL, which would kill your TGT.

We use a custom logout URL that is in essence just a JSP that redirects to the homepage. We have CAS configured subordinate to ADFS, and as such, there really is not a way to "log out" of CAS, even if you do, any new attempt will automatically be re-authenticated by the upstream ADFS and new TGT granted.

I can't reproduce it, but I suspect the code on Blackboard's side associates their application persistence (JSESSIONID or whatever) taking into account the present id of the ST and upon change drops the session .. first I've ever seen of that, but I am trying to troubleshoot blind.

-Mike.

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Richard Frovarp <richard...@ndsu.edu>
Sent: Tuesday, January 30, 2018 10:42:04 AM

To: cas-...@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a194b20f-76cc-5909-b36c-1c74b4fa352d%40ndsu.edu.

[Michael O Holstein]

As an update on this (and thanks to everyone who lent expertise) ...

We *did* have "global logout" enabled in the Blackboard building block for Authentication (CAS), although the URL was a custom one that just redirected the user, it did NOT actually point at the CAS logout page, however their internal code was calling it anyway, apparently due to a bug which they are working on as a level 3 ticket.

Disabling "global logout" resolves the issue, a the expense of making the UX if a student clicks :"logout" do nothing for 30 seconds and leave them where they started (it didn't work before either, but at least provided the facade).

So if you're encountering this, try turniing that setting off and see how it goes. If anyone needs the internal ticket numbers for reference ping me off-list.

Thanks,

Michael Holstein CISSP

Cleveland State University

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Richard Frovarp <richard...@ndsu.edu>

Sent: Tuesday, January 30, 2018 6:27:29 PM

To: cas-...@apereo.org
Subject: Re: [cas-user] Blackboard Ultra

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1d401af-137b-a078-60b0-9cf13f95132d%40ndsu.edu.