Single Logout


Published on

A Presentation on Single Logout

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Single Logout

  1. 1. Single Log-Out Andreas Åkre Solberg Malaga, June 2009
  2. 2. Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=238461 First request
  3. 3. Cookies limited to domains Set-Cookie: ID=123; domain: .site.orgCookie sessions can be on one domain only.WebSSO protocols extend user sessionsbetween domains. Master session IdP Session WebSSO WebSSO Session SP SP
  4. 4. Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salaryExtending loan WebSSO WebSSO payment.period of a bookat the library. SP SP
  5. 5. Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
  6. 6. Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
  7. 7. Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
  8. 8. Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
  9. 9. Local + IdP LogoutIs this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active sessionSAML 2.0 provides protocol Active sessionelement to distribute logout Deactivated sessionamong entities.
  10. 10. Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! Service foo SP1 IdP Service bar SP2
  11. 11. Single Logout- as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3Logout is fully propagatedto all services that share asession...
  12. 12. Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button Global logout is not making it any easier for the user.
  13. 13. Single Logout Back-OutUsers that are in the middle of an importanttransaction at SP2, will not like if it isinterrupted when they logout from SP1.- Real-life example:Requirement from an financial system SPThe user should be told which servers sheis logged on-to, and asked whether shewants to log out from all of them.
  14. 14. Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
  15. 15. Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
  16. 16. Single Logout Solution
  17. 17. Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
  18. 18. Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
  19. 19. Live demo!
  20. 20. iFrame + AJAX Single Logoutas provided by ble aila y Av da to
  21. 21. Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Lets take a look at the statistics.
  22. 22. Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!
  23. 23. Andreas Åkre Solberg