Frequently Asked Questions about Single Sign On

How do I log into an SSO-protected service with two different accounts at the same time?

If you need to log into multiple accounts at the same time, here are some tips:

  • In Internet Explorer, click on File, New session and log in as you normally would. This will allow you to have multiple accounts open at the same time.
  • In Mozilla, click on File, New Private Window (Ctrl + Shift + P)
  • In Chrome, click on Customize and Control Google Chrome button, and then New incognito window (Ctrl + Shift + N)
  • Additionally, you can combine different browsers, e.g., log into one account with one web browser type (IE, Firefox, Chrome, Safari, etc) and at the same time log into another account with a different browser type.

 

How long will my SSO session last? How often do I have to log in with SSO?

When the Oracle Access Manager/ Single Sign On service maintains your session it watches when the session becomes idle, i.e., when no web pages are being requested from any OAM/SSO - protected services by the given browser. If the session is idle for more than eight hours it will be terminated and the user will need to authenticate again in order to access any protected resources. The maximum SSO session length is presently 12 hours. This means that when you request an SSO-protected resource more than 12 hours since you authenticated last time you will need to provide your credentials again.

Please note that only activity on systems that are directly protected by the OAM /SSO is considered when calculating the current idle window length. For example, Pay Statement Portal, Student Housing, Physical Resources, Financial services FRS/ECS or websites on the CCS Webhosting are protected directly by SSO and users activity on these systems will reset the idle time, i.e., as long as the user is active at least every two hours on these systems the SSO session will last until the maximum of 12 hours.  Some other systems, often hosted by 3rd party like CourseLink(Desire2Learn), My Retirement Pension Portal, or Gryph Mail  use OAM/SSO only to authenticate and to initiate their own session. On these systems, user activity does not count when the idle time is calculated, i.e., once the users log into these systems and if they do not interact with any of the directly-protected U of G  systems above they will be considered idle (we do not control the user sessions on these 3rd-party systems once we authenticate the user).

 

How do I protected my data?

Always remember to log out and close the browser windows.


Why?

From the SSO perspective we have two types of SSO-protected systems on campus

  1. Those protected directly by the OAM/SSO agent which is able to inspect every request and, in turn,  approve or deny access (applies to Pay Statement Portal, Student Housing, Physical Resources, Financial services FRS/ECS and other services). As soon as you log out from SSO you will have to authenticate again if you wish to access any of these services. The single logout is effective instantly.
  2. Services using OAM/SSO for authentication only, for example, Gryph Mail or CourseLink. Authentication to SSO is mandatory for these services but once you are in the session is managed by the respective service. If you log out from OAM/SSO (e.g. in CourseLink) and keep the browser windows with Gryph Mail open you will stay logged into Gryph Mail. This is the reason why it is important to close all browser windows.

 

Do I have to logout - can't I just close the window?

We recommend that you log out and then close the window for two reasons:

  1. If the user only closes the active window the SSO session continues on the server side until it times out due to inactivity. If the user happens to do this many times over a short period of time (log in, check your mail for example, close the browser without logging out) then it is in rare cases possible to ran out of allowed number of SSO sessions. We had this reported only twice so far since 2008 because our community is quite diligent in logging out. But it can happen - in such case the user needs to contact the Help Centre and we will clear the user's SSO sessions centrally. 
  2. Some browsers may not clear the session cookies on exit (by design). For example, Chrome provides an option "On startup: continue where you left off" - when the user activates this option the session cookies will be maintained even across browser restarts.  This applies to any web service not just our OAM/SSO. Please consider the security implications before enabling this option.