Sign in and Sign Out

Implementation

Some programming skill is needed to set up a sign in and sign out using the central authentication hub (CAH).

Standard language, HTML, and CSS can be found in the source code and linked style sheets for this page. Including the appropriate text, username, and sign in/sign out link needs to be done by the site/application owners.

The application must check for the presence of a valid CAH cookie in the user’s browser without requiring authentication. For instance, a user may connect over HTTPS and be logged in, but a Web server such as Apache may not set the REMOTE_USER without requiring authentication. Pages that make use of the sign in option must not require authentication.

When to use

The sign in option should only be presented to users on web pages/sites that add value for users who are signed in using the University’s single sign-on (primarily central authentication hub and cookieauth at this time). The sign out option may be presented on any page where users are known to be signed in. For example, signing in to the Graduation Planner provides a user with customized and/or personalized content and so a sign in option may be presented.

Note: This document does not include considerations for Shibboleth.

Signing in

While the sign in link should appear at the top left on a page using sign in and sign out, an additional sign in link within the body of a page is certainly acceptable and encouraged for clarity. The sign in link(s) should bring users to the central login page (https://www.umn.edu/login). Users may be redirected through other pages as needed (i.e. for Shibboleth), so long as the login page is the only content presented to the user.

To avoid confusion for the user if they have multiple browser windows or tabs open and may have signed in to the CAH from another site, a parameter in the query string (i.e. forceLogin) may be used. For instance:

1. User loads https://mysite.umn.edu/ and is not logged in. User is presented with generic content.
2. In a separate browser window/tab, the user logs in to central authentication.
3. The user returns to https://mysite.umn.edu/ and clicks the sign in link.
4. The user is sent to https://mysite.umn.edu/?forceLogin.
5. The user is presented with customized/personalized content and is not required to sign in again.

A parameter like forceLogin should not be required to check for the CAH cookie.

When a user clicks the sign in/sign out link, the site/application being used should clear all credentials specific to that site or application, redirect users to the CAH sign out service (see below), and use the desturl parameter for the sign out service to send users to a page with appropriate language (also below).

Signing out

When signing out, users should be taken to the University logout page (https://www.umn.edu/logout) and then to a unit-owned page with additional information. The user may be redirected as needed to clear other credentials, so long as the only content presented is that included on the unit-owned page.

The unit-owned page must include the following language:

Authentication credentials have been cleared for this session. Please quit your browser to complete your sign out.

The redirection to the unit-owned page can accomplished using the desturl parameter with the sign out service. See http://www1.umn.edu/is/cookieauth/aboutcah.html.

The Office of Information Technology (OIT) has a page indicating that users have signed out of central authentication, but the language on this page does not cover additional applications that may not use central authentication, or that set cookies for authentication or authorization purposes. These cookies may not expire promptly and may allow another user at the same computer to access applications as the original user. This is why you need to ask users to quit the browser to complete their sign out.