shibboleth-dev - RE: F2F and SLO
Subject: Shibboleth Developers
List archive
- From: Jim Fox <>
- To: Shibboleth Dev Team <>
- Subject: RE: F2F and SLO
- Date: Tue, 29 Aug 2006 09:47:40 -0700 (PDT)
disagree with you about where the right ending place is. I suspect it's
somewhere central to the federation of sites that is associated with that
scarab.
Not a chance. It is, after all, the very essence of shib that no one knows it's there. Students at UW, to give an example, wouldn't know InCommon or any other federation from the man in the moon. They log in to UW and they expect to log out from UW. Even when they click on a logout button on some remote application they expect it to be a UW site that finally says, "You're logged out."
There are lots of ways to organize a "federation of sites" as Scott calls it. A set of financial services entities, for example, might be organized around a site (or could be more than one) that acts as an SP but provides a starting point for users to access lots of associated services, with SSO and potentially several IdPs; my credit card company's site is kind of like that already. This is a natural extension of the portal worldview, which is very common. Universities (or maybe it's just us university middleware types) tend to be IdP-centric for some reason, but other industries seem to be less so, from what I've seen.
The 'federation' you describe is little more than a single application
that happens to span a couple of domains. It hardy deserves the
designation of SSO. I agree that when only a single 'application'
is involved the idea of a logout that begins and ends at that 'site'
makes sense.
The significance of the "Single" in Single Sign On is that a browser
user can log on once and work with sereral disparate applications.
If we have lost that meaning then logout as described again makes
sense. Otherwise login and logout must be IdP-centric - if for
no other reason than to explain to the use just what that
"logout" meant.
Universities lead the way in this because we are the only
organizations that provide the auth service without the applications. Everyone else has historically provided both,
so they appear SP-centric. With the Advent of Shib we can
easily imagine general purpose, commercial auth sites, maybe
myshib.com, that will themselves be IdP-centric like us.
Jim
- F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/29/2006
- RE: F2F and SLO, Scott Cantor, 08/29/2006
- RE: F2F and SLO, RL 'Bob' Morgan, 08/29/2006
- RE: F2F and SLO, Jim Fox, 08/28/2006
- RE: F2F and SLO, Scott Cantor, 08/28/2006
Archive powered by MHonArc 2.6.16.