[OpenID] Logout Use Case

[Nate Klingenstein]

Steven,

The real problem is that it's difficult to do it in a way that would  
be certain to really clear all the various sessions scattered around  
in a loosely coupled federated environment, and doing "something" may  
be worse than doing "nothing", if "nothing" makes it clear that the  
user need to terminate their browser session, for example.  If some  
RP's don't go to the trouble of associating their application sessions  
with the provider's sessions, or some OP's don't store the list of RP  
endpoints, or if the browser gets stranded at some point and is unable  
to clear a cookie, etc. etc. etc. then the deployer or user's  
expectations may not be met.

Unlike some others on the Shib team, I believe it's still important to  
implement some form of SLO.  So long as deployers are aware of the  
limitations, it will address some use cases(such as Jonathan's, where  
they sound to have relatively tight control of the environment), which  
is a win.

It's not near the top of my list of things that I'd like to see added  
to the OpenID protocol, but it's definitely feasible with the right  
caveats, and there are many examples to learn from out there.

Thanks for taking the time to read our piles of word salad,
Nate.

On Sep 30, 2009, at 9:56 AM, Steven Livingstone-Perez wrote:

> It does seem to me, particularly from reading those documents that  
> despite the technical difficulties outlined there is a potential  
> roadmap to SLO in OpenID - or at least a start :-)Need defining (if  
> not already in the process) and much would be implementation  
> recommendations rather than protocol.