[OpenID] Logout Use Case
Nate Klingenstein
ndk at internet2.edu
Wed Sep 30 00:05:03 UTC 2009
Steven & Jonathan,
Remember that HTTP user-agent sessions are persisted in several ways:
some are entirely client-based state in the form of cookies, while
others primarily manage server-side state. Pushing out messages to
the RP is not necessarily sufficient to either deal with client-based
state or deal with session state persisted by the applications
themselves once a login context is established via OpenID.
I suggest you take some time to read about the way Shibboleth thinks
about federated SLO.
https://spaces.internet2.edu/display/SHIB2/SLOIssues
https://spaces.internet2.edu/display/SHIB2/SLOWebappAdaptation
Take care,
Nate.
On Sep 29, 2009, at 10:53 PM, Steven Livingstone-Perez wrote:
> - OP maintains a list of RPs the user is currently logged in to and
> upon RP1 killing it's local session and pinging the OP, the OP then
> 'pushes' a message out to all of the other RPs instructing them to
> kill the user's session.
More information about the general
mailing list