[Openid-specs-ab] About single logout
Andreas Åkre Solberg
andreas.solberg at uninett.no
Thu Sep 1 23:13:40 UTC 2011
After I mentioned single logout use case, it was expressed that keeping state about RP sessions at the OP would be a no-go. Consequently single logout is a no go as well. I don't see any way that could possibly be implemented without the OP keeping states of the live RP sessions.
If I would spec single logout with openid connect, it probably would include requiring that all entities would be able to lookup the session by a key available in a token (in example id token) rather than just the session cookie; and I would do most of the logout handling back channel.
I did a presentation on Logout on a conference in Spain two years ago. I'd recommend to look through the slide deck:
http://tnc2009.terena.org/core/getfile2e64.pdf?file_id=341
it also includes screenshots from the logout solution of ours that I mentioned on the call.
Andreas
More information about the Openid-specs-ab
mailing list