[Openid-specs-ab] About single logout

John Bradley ve7jtb at ve7jtb.com
Fri Sep 2 01:32:19 UTC 2011 

It should be optional but we should document it soon.  The more RP that support it the better.

We should do a session on it at the Summit.

John B.
On 2011-09-01, at 9:15 PM, Breno de Medeiros wrote:

> Yes, Google is interested in supporting single sign-out in this push
> model as well. I think it should be optional feature support, however.
> I will read your slides.
> 
> On Thu, Sep 1, 2011 at 16:31, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> One possibility is having the RP register a logout endpoint with the IdP when they get their client ID.
>> 
>> The IdP could keep the client ID of the active sessions in a browser cookie.  When the user is redirected back to the IdP and elects to logout of all sessions, the IdP would create a per RP logout JWT and post that to the RP's logout endpoint.
>> 
>> The JWT would be signed using the shared secret and have a claim of logout=force or something like that along with the user ID.  The RP would need to be responsible for killing the session cookies in the users browser.
>> 
>> I don't know that you would get enough RP's supporting it, for it to be worthwhile though.
>> 
>> If the RP logout endpoint is registered then the IdP only needs to worry about the RP that support it.
>> 
>> I will look at your deck.
>> 
>> John B.
>> On 2011-09-01, at 8:13 PM, Andreas Åkre Solberg wrote:
>> 
>>> After I mentioned single logout use case, it was expressed that keeping state about RP sessions at the OP would be a no-go. Consequently single logout is a no go as well. I don't see any way that could possibly be implemented without the OP keeping states of the live RP sessions.
>>> 
>>> If I would spec single logout with openid connect, it probably would include requiring that all entities would be able to lookup the session by a key available in a token (in example id token) rather than just the session cookie; and I would do most of the logout handling back channel.
>>> 
>>> I did a presentation on Logout on a conference in Spain two years ago. I'd recommend to look through the slide deck:
>>>       http://tnc2009.terena.org/core/getfile2e64.pdf?file_id=341
>>> it also includes screenshots from the logout solution of ours that I mentioned on the call.
>>> 
>>> Andreas
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
> 
> 
> 
> -- 
> --Breno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/20eea6b3/attachment.p7s>

More information about the Openid-specs-ab mailing list