35. SINGLE SIGN-OFF
But... It doesn’t scale!
Facebook uses delayed single sign-off:
• First cookie is long lived and keeps the user session
• Second cookie required to perform API calls is short lived and
needs to be refreshed using the first cookie
• Signing off from Facebook deletes both cookies
43. The simplest single sign-on solution available
• Django
https://github.com/zuber/django-cas-provider
https://github.com/zuber/django-cas-consumer
• Python
https://wiki.jasig.org/display/CASC/Pycas
56. FEATURES
• Decentralized - you don’t need to store passwords at all
• Single sign-on but not single sign-in
• Hard to implement - delegation requires an HTML parser
60. COMPARISON
CAS OpenID
• Centralized • Decentralized
• Single sign-on and sign-in • Only single sign-on
• Easy to implement • Hard to implement
• Attribute exchange (CAS 3.0) • openid.sreg and openid.ax
• Single sign-off • Single sign-off
• Gateway authentication • Browser extensions