[OpenID] What about Logout?
pwilliams at rapattoni.com
Thu Apr 9 01:39:05 UTC 2009
You might want to implement this with an impersonation model, rather than slo model, leveraging parallel (multiple) session compartments.
Think of it in interface binding terms. An object class exports 2 soap interfaces, where rbac enforced in the class loader or interface guard limits one's rights to bind an id to a particular interface (implies subset of methods and data types). Or equivalently, in rest and url land, rbac limits which subsets of urls and mime types one can bind the id to.
If u do it like this, one gets a take/grant authorization model, in which 1 id can delegate to another, when the roles are sent in the authz element of the assertion. The ax authority releasing roles need not be the same op as is doing user auth (or one can be a front for the other).
From: Johannes Ernst <jernst+openid.net at netmesh.us>
Sent: Wednesday, April 08, 2009 2:40 PM
To: general List <general at openid.net>
Subject: Re: [OpenID] What about Logout?
I'd like to have a single-sign-out button.
There are plenty of use cases. Here is one: Changing roles.
I log into a bunch of sites with an "administrator" OpenID, to do
maintenance for example.
Then I'm done as administrator, and I'd like to go back to being a
regular user on all of those sites with a "user" OpenID.
More information about the general