Issues with single sign out
Johannes Ernst
jernst+openid.net at netmesh.us
Tue Nov 7 21:03:36 UTC 2006
On Nov 7, 2006, at 10:47, Dick Hardt wrote:
> * clearing session cookies
I think there are two ways of dealing with this:
- give the IdP/OP/whatever-its-name a means to tell the RP directly
that user X needs to be logged out, without going through the
browser. Disadvantage: doesn't go through a firewall in some
circumstances.
- create a page at the IdP/OP with N iframes in it, each iframe
corresponding to a RP, accessing the RP with a parameter, such as
http://example.com/?lid= (as we do it right now in LID, or something
like it)
In addition, I think that RPs should always expire their sessions
after some time (minutes, not days) and automatically revalidate with
the IdP/OP. Then, by default, an abandoned computer logs out ... as
it is generally good practice for PCs.
> * differentiating between logging out of the site and logging out of
> all OpenID sessions
This is important, thank you for bringing it up. I would suggest that
single-sign-out would always have to be triggered through the IdP,
never through a RP. If so, it could be left to the IdP/OP how to
implement that, just like we don't prescribe how to authenticate either.
I realize that just passes the buck, but I'm generally comfortable
not standardizing things where there are good chances we haven't
found a clearly superior design alternative. It might turn out to be
"log off on RP means log off from this RP only; big red button on IdP
means log off everywhere".
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-relying-party-authenticated.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061107/30842243/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20061107/30842243/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the user-experience
mailing list