[OpenID] Logout Use Case

[Nate Klingenstein]

Andrew,

This is one of the ways that Shibboleth has considered doing it.  Many  
universities' local web SSO packages work this way.

It's a great way to do mechanical front-channel logout, but you do  
have to rely on RP's, OP's, and applications to do the right thing,  
and that really is where the bulk of the problem lies.  In an  
environment like Facebook's, there's only one identity source and a  
lot more control over the apps.

OpenID should be able to define a fairly simple profile to plumb such  
a logout interface, and SAML offers a pretty good example.

Thanks,
Nate.

On Sep 30, 2009, at 2:36 PM, Andrew Arnott wrote:

> That's a cool idea.  The OP sending an iframe that logs the user  
> agent out of all the RPs sounds cool, and simpler than the OAuth idea.