Single Log-Out Andreas Åkre Solberg Malaga, June 2009
Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID ﬁrst time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=238461 First request
Cookies limited to domains Set-Cookie: ID=123; domain: .site.orgCookie sessions can be on one domain only.WebSSO protocols extend user sessionsbetween domains. Master session IdP Session WebSSO WebSSO Session SP SP
Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salaryExtending loan WebSSO WebSSO payment.period of a bookat the library. SP SP
Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
Local + IdP LogoutIs this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active sessionSAML 2.0 provides protocol Active sessionelement to distribute logout Deactivated sessionamong entities.
Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
Single Logout- as in SAML 2.0 Single Logout Proﬁle LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3Logout is fully propagatedto all services that share asession...
Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button Global logout is not making it any easier for the user.
Single Logout Back-OutUsers that are in the middle of an importanttransaction at SP2, will not like if it isinterrupted when they logout from SP1.- Real-life example:Requirement from an ﬁnancial system SPThe user should be told which servers sheis logged on-to, and asked whether shewants to log out from all of them.
Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difﬁcult to implement for SPs, because no access to session cookie.
Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.