shibboleth-dev - Re: [Shib-Dev] Steps towards SLO
Subject: Shibboleth Developers
List archive
- From: Peter Schober <>
- To:
- Subject: Re: [Shib-Dev] Steps towards SLO
- Date: Wed, 15 Jul 2009 22:34:51 +0200
- Organization: Vienna University Computer Center
* Scott Cantor
<>
[2009-07-15 20:01]:
> Right, it's simply one of the many reasons I think logout doesn't
> work well. SSO is simply incompatible with kiosks, IMHO. Short
> timeouts together with disabling it are a much better approach than
> logout is.
Well, with many people seemingly unable to tell the difference between
a webbrowser and a local filemanager (a distinction being blurred
purposely for certain reasons), or more to the point, between closing
a browser window and exiting the program/process, I'd say closing the
webbrowser to log off doesn't work too well either. (Not that I have
any knowledge that those people mentioned above would always use the
logout button to end their session.)
But could you elaborate on the rest of that statement above?
> SSO is simply incompatible with kiosks, IMHO
There are kiosks. Some we control (kind of, otherwise these would have
the feature to terminate a local session/close the webbrowser), most
we don't. Managers just smile at us and walk away when we mention
integration of their business application with the campus WebSSO
system, but need to tell them Sorry, Logout will only come in later
releases (2.0, judging from some Internet2 presentations -- which btw
also helped selling Shib as intra-campus WebSSO system in the first
place).
Certainly some kind of risk assessment (however basic) would help to
rationalize some of those arguments and discussions. But we're still
having a hard time with application integration and having to resort
to disabling SSO won't help: Those concerned about their app security
still won't integrate (unless timeouts are so small it will make the
app unusable), those wanting to join because of SSO won't get it.
Either way, I'm grateful that Adam started working on this, even if
there seem to be strong opinions wrt the futility of the endeavor.
I do think we need practical experience with SLO, time to adapt our
applications, maybe switch to ePTId/persistentIds as NameIDs whereever
possible/sensible (to ease logout for both IdPs as well as SPs), etc.
While having SLO support in the code is not sufficient for reliable
SLO, it certainly is necessry.
-peter
- Steps towards SLO, Kristof BAJNOK, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Chad La Joie, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Adam Lantos, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Kristof BAJNOK, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/16/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/16/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/16/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Kristof BAJNOK, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Adam Lantos, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Chad La Joie, 07/15/2009
Archive powered by MHonArc 2.6.16.