[OpenID] Logout Use Case

[Jonathan Coffman]

Hey there folks, I'd like to start a conversation around how OpenID  
might be able to facilitate logout more gracefully. Should I enter my  
use-case onto the wiki somewhere?

Just to whet your whistle, here's a summary:

- We're using OpenID for federated identity and SSO for a network of  
micro-sites.
- Some of those micro-sites live at the same domain, but in different  
directories, and utilize a multitude of web technologies (php, flat- 
files, django, plone, etc)
- Other micro-sites are on their own domains.

Because a large percentage of our RPs (the micro-sites) actually live  
on the same domain, but on varying infrastructure and technologies  
it's confusing to the user that when they log-in, they're logged in  
across the network -- but when logging out they're only logged out  
from an individual RP.

As far as potential solutions, we've come up with a couple of  
different technical options:
- RP1 sends a logout command to the OP which destroys the RP1 and OP  
session. However, the user may still be logged in locally at RP2 (RP2  
could also poll to check if the user is still logged in at the OP at a  
set schedule)

or

- OP maintains a list of RPs the user is currently logged in to and  
upon RP1 killing it's local session and pinging the OP, the OP then  
'pushes' a message out to all of the other RPs instructing them to  
kill the user's session.


- Jonathan Coffman
@jdcoffman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090929/a291aa73/attachment.htm>