[OpenID] Feedback from OpenID demo

Peter Williams pwilliams at rapattoni.com
Sat May 23 02:13:14 UTC 2009 

yes - and therein lies the contradiction.

Users apparently want the feature (it sounds so natural). i want the freature. But, then I come from the bottom of the class.  Fortunately, Ive learned to at least listen to my betters, tho.

There are those in the academic community who (given much thought) apparently believe that the SLO defined in the SAML2 standard (which was pretty well engineered as a protocol) will not actually give the users/CIOs what it is that they think they are wanting/getting (on the web).

If I click logout on Facebook site, I can then just  walk away from the desktop with the assurance that the session I have with my bank (another RP) is also logged out. La  La.. time for coffee, since my money is obviously now safe. AS is my ebay reputation.

No you cant make that assumption, is what *they* are saying. Even in the tighested, most  well managed, perfectly best practices IDP-controlling federation in the world - you cannot make that leap - despite its intuitive validity.

Now, I happen to have use a vendor (that will inevitably eventually add the openid auth (2.1?) protocol to the portfoiio of websso protocols supported by their "websso switch" ) that has at least implemented what the SAML2 variant of the SLO protocol calls for - and tested it against 3 or 4 other vendors. SO, there are not engineering and interworking problems, per se. but , regardless of whether the OASIS crew did a good security design and whether its all interworks cross-vendor, the bigger question is: does the the usability of the service meets expectations?

We are hearing from some quarters that it doesnt. And those quarters have experience.

----

It is interesting to hear the argument that openid adoption by RPs depends on a missing feature:  SLO. Trouble is, in terms of evidence, the last 10 years of SAMLvariant of websso hardly deployed any SLO in a pretty open web environment (university apps). And, precious little occured in B2B spheres, furthermore. Yet, lots of multi-party, multi-vendor SSO and federated session management got adopted (without SLO), with hundreds of RP applications being built to consume assertions - that are essentially equivalent to the openid assertion (ignoring pedantry)



________________________________
From: Dirk Balfanz [balfanz at google.com]
Sent: Friday, May 22, 2009 4:12 PM
To: Nate Klingenstein
Cc: Peter Williams; OpenID List
Subject: Re: [OpenID] Feedback from OpenID demo



On Fri, May 22, 2009 at 4:04 PM, Nate Klingenstein <ndk at internet2.edu<mailto:ndk at internet2.edu>> wrote:
Peter,


The Shib2 academic community (and who would want to argue with them, since they have far more USG/UKG money to spend on websso than all of us folks together are spending on openid)

I can assure you this is not the case for the Shibboleth project proper, and though I'm not intimately familiar with the funding situation for the national federations, I would still take the wager if they were included.

Toss in campus IT budgets and of course we end up in the big leagues, but very little of that is R&D.


assert that SLO is the last thing anyone wants/needs.

I'd also like to clarify this, if I may.  We certainly believe a lot of people want it, particularly CIO's -- they tell us as much, after all.

We are less convinced they know what SLO entails in a federated environment, and we're very wary of leading them to believe it's more effective than it really is.  As it's relied upon to clear sessions that can be associated with sensitive data or apps, we want them to be fully aware of what it can and can't do.

We're also not sure what the user intends when they click logout.  Do they intend to log out of this application alone, or do they expect to be logged out of the IdP/OP as well?  All other applications they've logged into with this ID?  I'm not personally convinced this is such a huge issue because users already get a variety of behavior here and cope with it fine, but the devs are concerned about it.

You can read more of their thoughts here:

https://spaces.internet2.edu/display/SHIB2/SLOIssues

Funny how it says in there that SLO is "one of the most requested features" of Shib2.

Dirk.




Take care,
Nate.

_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general

More information about the general mailing list