Shibboleth Developers

[Jim Fox <>]

Anticipating that the F2F will spend some time on
single log out (SLO) I'd like to seed a couple of
concerns into that discussion.

1) Many applications maintain their own sessions, using
   shib only to get them started.  Any SLO mechanism
   at the SP must provide a way to notify these applications
   of a log out.  As many of them use only cookies to maintain
   state, a backdoor notification method would not work
   for them.

2) At the IdP the various Authentication Handlers must also
   be informed of the log out -- most of these maintain some
   session state.  Some of them, e.g. pubcookie, are
   themselves SSO systems and would need to clear their
   sessions and send around their own log out notices.

3) SAML 2 indicates that every <LogoutRequest> must be
   responded to with a <LogoutResponse>.  This results in
   the browser user ending up back at the SP -- entirely
   the wrong place.  Login and logout have to have a
   consistent look, feel, and personality, and that's
   the personality of the authenticating institution.
   If I log into the University's Weblogin page (where
   I type my id and password, for example) I expect to be
   told by a very similar page and in similar language
   that I have logged out - or what to do if the logout
   attempt failed.  Without that sense of closure
   a browser user if left hanging and in doubt of the
   global nature of the logout.

Jim