Issues with single sign out

Dick Hardt dick at sxip.com
Wed Nov 8 06:16:41 UTC 2006


I was just sharing what we had learned. As noted, glad to have our  
conclusions proven wrong!

-- Dick

On 7-Nov-06, at 4:26 PM, Recordon, David wrote:

> True, but certainly doesn't mean that OpenID as a framework shouldn't
> address how to do single sign out assuming the RP can do it.  Would be
> easy for the RP to advertise if it supports it or not when the user is
> logging in.
>
> --David
>
> -----Original Message-----
> From: user-experience-bounces at openid.net
> [mailto:user-experience-bounces at openid.net] On Behalf Of Dick Hardt
> Sent: Tuesday, November 07, 2006 4:10 PM
> To: OpenID user experience
> Subject: Re: Issues with single sign out
>
> Assumes that is how the app manages session. When trying to add single
> sign out to things like Drupal, this approach was challenging.
>
> On 7-Nov-06, at 3:38 PM, Recordon, David wrote:
>
>> While the application wouldn't have access to the cookies, the
>> application can kill the session id in the database thus logging the
>> user out.
>>
>> --David
>>
>> -----Original Message-----
>> From: user-experience-bounces at openid.net
>> [mailto:user-experience-bounces at openid.net] On Behalf Of Dick Hardt
>> Sent: Tuesday, November 07, 2006 3:29 PM
>> To: OpenID user experience
>> Subject: Re: Issues with single sign out
>>
>>
>> On 7-Nov-06, at 1:03 PM, Johannes Ernst wrote:
>>
>>> On Nov 7, 2006, at 10:47, Dick Hardt wrote:
>>>
>>>> * clearing session cookies
>>>
>>> I think there are two ways of dealing with this:
>>>  - give the IdP/OP/whatever-its-name a means to tell the RP directly
>>> that user X needs to be logged out, without going through the
>>> browser.
>>
>>> Disadvantage: doesn't go through a firewall in some circumstances.
>>
>> no access to cookie from app
>>
>>>  - create a page at the IdP/OP with N iframes in it, each iframe
>>> corresponding to a RP, accessing the RP with a parameter, such as
>>> http://example.com/?lid= (as we do it right now in LID, or something
>>> like it)
>>
>> not all browsers send the cookies if the page is in a frame
>>
>>>
>>> In addition, I think that RPs should always expire their sessions
>>> after some time (minutes, not days) and automatically revalidate  
>>> with
>
>>> the IdP/OP. Then, by default, an abandoned computer logs out ...
>>> as it
>>
>>> is generally good practice for PCs.
>>>
>>>> * differentiating between logging out of the site and logging  
>>>> out of
>
>>>> all OpenID sessions
>>>
>>> This is important, thank you for bringing it up. I would suggest  
>>> that
>
>>> single-sign-out would always have to be triggered through the IdP,
>>> never through a RP. If so, it could be left to the IdP/OP how to
>>> implement that, just like we don't prescribe how to authenticate
>>> either.
>>
>> how does the user get to the OP to trigger it? Once logged in, there
>> are no links to the OP unless it is the [logout] link
>>>
>>> I realize that just passes the buck, but I'm generally comfortable
>>> not
>>
>>> standardizing things where there are good chances we haven't found a
>>> clearly superior design alternative. It might turn out to be "log  
>>> off
>
>>> on RP means log off from this RP only; big red button on IdP means
>>> log
>>
>>> off everywhere".
>>
>> I was sharing the issues we had. I think until someone has the
>> complete UX figured out, there is no point in implementing.
>>
>> -- Dick
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>




More information about the user-experience mailing list