[OpenID] Logout Use Case

Shane B Weeden sweeden at au1.ibm.com
Sat Oct 3 21:31:11 UTC 2009 

The biggest issue I see with single logout is that it introduces a
requirement for session state management in the OpenID runtime, which will
result in all manner of implementation issues. Not only that, regardless of
what gets implemented, you only ever end up with a "best-effort" logout.
Just ask anyone who's done SAML2.




|------------>
| From:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Andrew Arnott <andrewarnott at gmail.com>                                                                                                            |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |SitG Admin <sysadmin at shadowsinthegarden.com>                                                                                                      |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Cc:        |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |openid-general at lists.openid.net                                                                                                                   |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date:      |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |03/10/2009 02:36 PM                                                                                                                               |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |Re: [OpenID] Logout Use Case                                                                                                                      |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Sent by:   |
|------------>
  >--------------------------------------------------------------------------------------------------------------------------------------------------|
  |openid-general-bounces at lists.openid.net                                                                                                           |
  >--------------------------------------------------------------------------------------------------------------------------------------------------|





I don't see what multi-auth has to do with logging out.  If the user clicks
"log out" at RP2, and the user logged into RP2 with OP1, then OP1 assists
the user in logging out of both RP1 and RP2 since OP1 sent a positive
assertion to those RPs.  The detail that RP1 required positive assertions
from OP1 and OP2 to log the user in seems inconsequential.  As soon as RP1
gets the "log out" assertion from the OP, it only has OP2 with a standing
positive assertion left, and therefore logs the user out.  OP1 isn't ever
aware that OP2 existed.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Fri, Oct 2, 2009 at 9:06 PM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:
   I don't understand how you can use an OP to log into an RP without the
   OP being aware that it's sending that assertion.

  Sure. But if you're using OP1 *and* OP2 to login at RP3 (say, via
  MultiAuth), then the user should be able to keep OP1 and OP2 unaware of
  each other; so, when RP4 (which only knows the user through OP1) tells
  the user to logout from all of OP1's sessions, it can only send the user
  to OP1; will OP1 also send the user to all the RP's it knows, just in
  case any of them is currently using MultiAuth with the user?

  -Shade
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list