Issues with single sign out
Dick Hardt
dick at sxip.com
Wed Nov 8 00:10:13 UTC 2006
Assumes that is how the app manages session. When trying to add
single sign out to things like Drupal, this approach was challenging.
On 7-Nov-06, at 3:38 PM, Recordon, David wrote:
> While the application wouldn't have access to the cookies, the
> application can kill the session id in the database thus logging the
> user out.
>
> --David
>
> -----Original Message-----
> From: user-experience-bounces at openid.net
> [mailto:user-experience-bounces at openid.net] On Behalf Of Dick Hardt
> Sent: Tuesday, November 07, 2006 3:29 PM
> To: OpenID user experience
> Subject: Re: Issues with single sign out
>
>
> On 7-Nov-06, at 1:03 PM, Johannes Ernst wrote:
>
>> On Nov 7, 2006, at 10:47, Dick Hardt wrote:
>>
>>> * clearing session cookies
>>
>> I think there are two ways of dealing with this:
>> - give the IdP/OP/whatever-its-name a means to tell the RP directly
>> that user X needs to be logged out, without going through the
>> browser.
>
>> Disadvantage: doesn't go through a firewall in some circumstances.
>
> no access to cookie from app
>
>> - create a page at the IdP/OP with N iframes in it, each iframe
>> corresponding to a RP, accessing the RP with a parameter, such as
>> http://example.com/?lid= (as we do it right now in LID, or something
>> like it)
>
> not all browsers send the cookies if the page is in a frame
>
>>
>> In addition, I think that RPs should always expire their sessions
>> after some time (minutes, not days) and automatically revalidate with
>> the IdP/OP. Then, by default, an abandoned computer logs out ...
>> as it
>
>> is generally good practice for PCs.
>>
>>> * differentiating between logging out of the site and logging out of
>>> all OpenID sessions
>>
>> This is important, thank you for bringing it up. I would suggest that
>> single-sign-out would always have to be triggered through the IdP,
>> never through a RP. If so, it could be left to the IdP/OP how to
>> implement that, just like we don't prescribe how to authenticate
>> either.
>
> how does the user get to the OP to trigger it? Once logged in,
> there are
> no links to the OP unless it is the [logout] link
>>
>> I realize that just passes the buck, but I'm generally comfortable
>> not
>
>> standardizing things where there are good chances we haven't found a
>> clearly superior design alternative. It might turn out to be "log off
>> on RP means log off from this RP only; big red button on IdP means
>> log
>
>> off everywhere".
>
> I was sharing the issues we had. I think until someone has the
> complete
> UX figured out, there is no point in implementing.
>
> -- Dick
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>
More information about the user-experience
mailing list