Application Screen Guidances
To create a more standard experience for the user, we recommend that providers use similar language when applications interact with WebLogin. Following is suggested language.
Application Timeout Guidance
ISC recommends the use of a timeout screen using standard language when an open application times out while a Penn WebLogin session is active. CoSign doesn't have built-in timeout support and the screen would be reliant on local session management.
NOTES:
-
"Reopen..." should link back to your app/resource.
- "Terminate..." should link to
https://weblogin.pennkey.upenn.edu/logout.
Application Logout Guidance
ISC recommends that application and web resource logout buttons work as follows:
-
Selecting an application's logout button (with both SSO and reauth applications) should remove any locally generated state and provide an invisible redirect to the logout screen, https://weblogin.pennkey.upenn.edu/logout, that permits a user to terminate their Penn WebLogin session.
- If a message to the user is still necessary when the local session ends (for example, advising users when records will be updated), selecting the logout button should generate a local logout confirmation screen with the following info:
You have successfully logged out from [app/resource name].
[owner inserts app- or resource-specific logout messages here,
possibly including link that gives option to re-open app/resource]
Your Penn WebLogin session remains active.
Terminate your Penn WebLogin session now
|
NOTES:
-
"Terminate..." should link to
https://weblogin.pennkey.upenn.edu/logout.
401 (Unauthorized) Error Guidance
Users who have successfully authenticated but are not authorized to use a particular PennKey-protected web resource typically receive a server-generated 401 error message. In the WebLogin environment, 401 messages need to advise users that they may have an active WebLogin session that they need to terminate and indicate to the user how to follow up if they want to request access.
ISC recommends that server administrators allow directory-specific 401 messages on their web servers, particularly if the server houses more than one protected resource or if some resources are PennKey-protected and some are protected by another mechanism. Directory-specific messages can name a specific resource and guide users to the most relevant help resource.
Suggested language for a 401 screen that is specific to a directory or to a server that has only one protected resource and that resource is PennKey-protected:
Not authorized
Although you authenticated successfully with your PennKey and password, you are not authorized to access [app/resource name].
Your WebLogin session remains active.
Terminate your Penn WebLogin session now
OR
Navigate to another PennKey-protected web resource.
If you require access to [app/resource name] or have questions, please contact [resource-specific email or phone number].
|
NOTES:
-
"Terminate..." should link to
https://weblogin.pennkey.upenn.edu/logout.
- To avoid having a contact email address harvested for use by spammers, consider using a format such as “remoteassistance2009 at lists.upenn.edu” or a similar technique.
Suggested language for a single 401 screen on a server that has several protected resources, all of which are PennKey-protected:
Not authorized
Although you successfully authenticated with your PennKey and password, you are not authorized to access this resource.
Your WebLogin session remains active.
Terminate your Penn WebLogin session now
OR
Navigate to another PennKey-protected web resource.
If you require access to [app/resource name] or have questions, please contact [provide desired contact information].
|
NOTES:
-
"Terminate..." should link to
https://weblogin.pennkey.upenn.edu/logout.
- Contact info could be a single general email address or phone number, or a list by resource:
| Resource: A | Contact: A |
| Resource: B | Contact: B |
| Resource: C | Contact: C |
- To avoid having a contact email address harvested for use by spammers, consider using a format such as “remoteassistance2009 at lists.upenn.edu” or a similar technique.
Suggested language for a single 401 screen on a server that has several protected resources, not all of which use PennKey:
Not authorized
If you entered your PennKey and password to access any web resource, your
WebLogin session remains active.
Terminate your Penn WebLogin session now
OR
Navigate to another PennKey-protected web resource.
If you require access to [app/resource name] or have questions, please contact [provide desired contact information].
|
NOTES:
-
"Terminate..." should link to
https://weblogin.pennkey.upenn.edu/logout.
- Contact info could be a single general email address or phone number, or a list by resource:
| Resource: A | Contact: A |
| Resource: B | Contact: B |
| Resource: C | Contact: C |
- To avoid having a contact email address harvested for use by spammers, consider using a format such as “remoteassistance2009 at lists.upenn.edu” or a similar technique.
|
