shibboleth-dev - RE: F2F and SLO
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: F2F and SLO
- Date: Tue, 29 Aug 2006 10:53:57 -0400
- Organization: The Ohio State University
> Not a chance. It is, after all, the very essence of shib that no one
> knows it's there.
Shibboleth is not one thing, though, it's just SAML software that lots of
people use for many different things. What I was describing is what I've
been told by people in Liberty when I've asked about single logout and how
it's been implemented and used by *some* people.
I also think SP-initiated logout is not quite the same thing as
IdP-initiated logout, and I think it gets used for different user experience
models than the one you're focused on.
But as I've made no secret, I believe SLO is impractical anyway. So I have
no particular "magic bullet" for how to implement this. I've never done it,
and aside from the session mechanics, I have no idea how to do it from a UI
point of view. Some of the ways I can think of to make it usable are
impossible, because they get blocked by the default settings on most
browsers.
Unless I get help (which I'm expecting from Chad at least), there's a pretty
good chance I won't do it right the first time. But I also have to live
within what the standard requires. If you think the standard's wrong, this
isn't a venue we can deal with it. I think it's wrong for even including
SLO, so clearly I don't agree with it either.
> Students at UW, to give an example, wouldn't know
> InCommon or any other federation from the man in the moon. They log
> in to UW and they expect to log out from UW. Even when they click on
> a logout button on some remote application they expect it to be a UW site
> that finally says, "You're logged out."
I can think of ways to make that happen, but it depends on what browsers
allow in a frame, and whether there are bugs in what they allow. But as a
rule, I don't think that's what SP-initiated logout is *in general* designed
for.
But I can imagine extending the metadata to include landing points for SP
logout back at a user's IdP if that's what we need to do to permit it.
-- Scott
- F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/29/2006
- RE: F2F and SLO, Scott Cantor, 08/29/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
Archive powered by MHonArc 2.6.16.