shibboleth-dev - F2F and SLO
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To:
- Subject: F2F and SLO
- Date: Mon, 28 Aug 2006 15:01:31 -0700 (PDT)
Anticipating that the F2F will spend some time on
single log out (SLO) I'd like to seed a couple of
concerns into that discussion.
1) Many applications maintain their own sessions, using
shib only to get them started. Any SLO mechanism
at the SP must provide a way to notify these applications
of a log out. As many of them use only cookies to maintain
state, a backdoor notification method would not work
for them.
2) At the IdP the various Authentication Handlers must also
be informed of the log out -- most of these maintain some
session state. Some of them, e.g. pubcookie, are
themselves SSO systems and would need to clear their
sessions and send around their own log out notices.
3) SAML 2 indicates that every <LogoutRequest> must be
responded to with a <LogoutResponse>. This results in
the browser user ending up back at the SP -- entirely
the wrong place. Login and logout have to have a
consistent look, feel, and personality, and that's
the personality of the authenticating institution.
If I log into the University's Weblogin page (where
I type my id and password, for example) I expect to be
told by a very similar page and in similar language
that I have logged out - or what to do if the logout
attempt failed. Without that sense of closure
a browser user if left hanging and in doubt of the
global nature of the logout.
Jim
- F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/29/2006
- RE: F2F and SLO, Scott Cantor, 08/29/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
Archive powered by MHonArc 2.6.16.