Issues with single sign out

Recordon, David drecordon at verisign.com
Tue Nov 7 23:38:06 UTC 2006 

While the application wouldn't have access to the cookies, the
application can kill the session id in the database thus logging the
user out.

--David 

-----Original Message-----
From: user-experience-bounces at openid.net
[mailto:user-experience-bounces at openid.net] On Behalf Of Dick Hardt
Sent: Tuesday, November 07, 2006 3:29 PM
To: OpenID user experience
Subject: Re: Issues with single sign out


On 7-Nov-06, at 1:03 PM, Johannes Ernst wrote:

> On Nov 7, 2006, at 10:47, Dick Hardt wrote:
>
>> * clearing session cookies
>
> I think there are two ways of dealing with this:
>  - give the IdP/OP/whatever-its-name a means to tell the RP directly 
> that user X needs to be logged out, without going through the browser.

> Disadvantage: doesn't go through a firewall in some circumstances.

no access to cookie from app

>  - create a page at the IdP/OP with N iframes in it, each iframe 
> corresponding to a RP, accessing the RP with a parameter, such as 
> http://example.com/?lid= (as we do it right now in LID, or something 
> like it)

not all browsers send the cookies if the page is in a frame

>
> In addition, I think that RPs should always expire their sessions 
> after some time (minutes, not days) and automatically revalidate with 
> the IdP/OP. Then, by default, an abandoned computer logs out ... as it

> is generally good practice for PCs.
>
>> * differentiating between logging out of the site and logging out of 
>> all OpenID sessions
>
> This is important, thank you for bringing it up. I would suggest that 
> single-sign-out would always have to be triggered through the IdP, 
> never through a RP. If so, it could be left to the IdP/OP how to 
> implement that, just like we don't prescribe how to authenticate 
> either.

how does the user get to the OP to trigger it? Once logged in, there are
no links to the OP unless it is the [logout] link
>
> I realize that just passes the buck, but I'm generally comfortable not

> standardizing things where there are good chances we haven't found a 
> clearly superior design alternative. It might turn out to be "log off 
> on RP means log off from this RP only; big red button on IdP means log

> off everywhere".

I was sharing the issues we had. I think until someone has the complete
UX figured out, there is no point in implementing.

-- Dick
_______________________________________________
user-experience mailing list
user-experience at openid.net
http://openid.net/mailman/listinfo/user-experience

More information about the user-experience mailing list