SlideShare a Scribd company logo

Single Logout

Andreas Åkre Solberg
Andreas Åkre Solberg

A Presentation on Single Logout

Technology
1 of 23
Download to read offline
Single Log-Out Andreas Åkre Solberg Malaga, June 2009
Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=23846 1 First request
Cookies limited to domains Set-Cookie: ID=123; domain: .site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Master session IdP Session WebSSO WebSSO Session SP SP
Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salary Extending loan WebSSO WebSSO payment. period of a book at the library. SP SP
Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
Local + IdP Logout Is this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active session SAML 2.0 provides protocol Active session element to distribute logout Deactivated session among entities.
Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
Single Logout Solution
Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
Live demo!
iFrame + AJAX Single Logout as provided by ble aila y Av da to
Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!
Andreas Åkre Solberg http://rnd.feide.no

Recommended

Lab management
Lab managementLab management
Lab managementlogumca
 
Full stack devlopment using django main ppt
Full stack devlopment using django main pptFull stack devlopment using django main ppt
Full stack devlopment using django main pptSudhanshuVijay3
 
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出Google Cloud Platform - Japan
 
Graph and Amazon Neptune
Graph and Amazon NeptuneGraph and Amazon Neptune
Graph and Amazon NeptuneAmazon Web Services
 
Microsoft Flow みんな大好き承認ワークフロー
Microsoft Flow みんな大好き承認ワークフローMicrosoft Flow みんな大好き承認ワークフロー
Microsoft Flow みんな大好き承認ワークフローHirofumi Ota
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 
Yash Agarwal - BCA Final Year
Yash Agarwal - BCA Final YearYash Agarwal - BCA Final Year
Yash Agarwal - BCA Final YearDezyneecole
 
Java Freshers Resume Aditya Agrawal
Java Freshers Resume Aditya AgrawalJava Freshers Resume Aditya Agrawal
Java Freshers Resume Aditya AgrawalAditya Agrawal
 

Recommended

Lab management
Lab managementLab management
Lab managementlogumca
 
Full stack devlopment using django main ppt
Full stack devlopment using django main pptFull stack devlopment using django main ppt
Full stack devlopment using django main pptSudhanshuVijay3
 
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出
Google Cloud ベストプラクティス:Google BigQuery 編 - 02 : データ処理 / クエリ / データ抽出Google Cloud Platform - Japan
 
Graph and Amazon Neptune
Graph and Amazon NeptuneGraph and Amazon Neptune
Graph and Amazon NeptuneAmazon Web Services
 
Microsoft Flow みんな大好き承認ワークフロー
Microsoft Flow みんな大好き承認ワークフローMicrosoft Flow みんな大好き承認ワークフロー
Microsoft Flow みんな大好き承認ワークフローHirofumi Ota
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jackingn|u - The Open Security Community
 
Yash Agarwal - BCA Final Year
Yash Agarwal - BCA Final YearYash Agarwal - BCA Final Year
Yash Agarwal - BCA Final YearDezyneecole
 
Java Freshers Resume Aditya Agrawal
Java Freshers Resume Aditya AgrawalJava Freshers Resume Aditya Agrawal
Java Freshers Resume Aditya AgrawalAditya Agrawal
 
Student Database Presentation 1.14.10
Student Database Presentation 1.14.10Student Database Presentation 1.14.10
Student Database Presentation 1.14.10Kevin Dias
 
Employee management system report
Employee management system reportEmployee management system report
Employee management system reportPrince Singh
 
Typeorm decorators
Typeorm decoratorsTypeorm decorators
Typeorm decoratorsYangwook Jeong
 
Python tools to deploy your machine learning models faster
Python tools to deploy your machine learning models fasterPython tools to deploy your machine learning models faster
Python tools to deploy your machine learning models fasterJeff Hale
 
ぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむTomoya Takahashi
 
Office 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しようOffice 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しようNaokuni Yoshikawa
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Power BI データフロー 早わかり
Power BI データフロー 早わかりPower BI データフロー 早わかり
Power BI データフロー 早わかりTakeshi Kagata
 
REST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向けREST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向けHirofumi Ota
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.sung ki choi
 
Design and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management systemDesign and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management systemChamanth MVS
 
Power Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそうPower Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそうkorune ☆
 
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo MazzaferroRESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo MazzaferroPyData
 
APEX Security 101
APEX Security 101APEX Security 101
APEX Security 101Dimitri Gielis
 
Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28Amazon Web Services
 
Online quiz system
Online quiz systemOnline quiz system
Online quiz systemSatyaki Mitra
 
Employee management system
Employee management systemEmployee management system
Employee management systemAnjaliSharma585
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsJitendra Bafna
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 

More Related Content

What's hot

Student Database Presentation 1.14.10
Student Database Presentation 1.14.10Student Database Presentation 1.14.10
Student Database Presentation 1.14.10Kevin Dias
 
Employee management system report
Employee management system reportEmployee management system report
Employee management system reportPrince Singh
 
Python tools to deploy your machine learning models faster
Python tools to deploy your machine learning models fasterPython tools to deploy your machine learning models faster
Python tools to deploy your machine learning models fasterJeff Hale
 
ぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむTomoya Takahashi
 
Office 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しようOffice 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しようNaokuni Yoshikawa
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Power BI データフロー 早わかり
Power BI データフロー 早わかりPower BI データフロー 早わかり
Power BI データフロー 早わかりTakeshi Kagata
 
REST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向けREST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向けHirofumi Ota
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.sung ki choi
 
Design and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management systemDesign and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management systemChamanth MVS
 
Power Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそうPower Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそうkorune ☆
 
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo MazzaferroRESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo MazzaferroPyData
 
Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28Amazon Web Services
 
Employee management system
Employee management systemEmployee management system
Employee management systemAnjaliSharma585
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

What's hot (20)

Student Database Presentation 1.14.10
Student Database Presentation 1.14.10Student Database Presentation 1.14.10
Student Database Presentation 1.14.10
 
Employee management system report
Employee management system reportEmployee management system report
Employee management system report
 
Typeorm decorators
Typeorm decoratorsTypeorm decorators
Typeorm decorators
 
Python tools to deploy your machine learning models faster
Python tools to deploy your machine learning models fasterPython tools to deploy your machine learning models faster
Python tools to deploy your machine learning models faster
 
ぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむぼくのかんがえたさいきょうのせつびせいぎょしすてむ
ぼくのかんがえたさいきょうのせつびせいぎょしすてむ
 
Office 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しようOffice 365 を活用してお手軽インシデント管理システムを構築しよう
Office 365 を活用してお手軽インシデント管理システムを構築しよう
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Power BI データフロー 早わかり
Power BI データフロー 早わかりPower BI データフロー 早わかり
Power BI データフロー 早わかり
 
REST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向けREST API マスターへの道 - Office 365 パワーユーザー向け
REST API マスターへの道 - Office 365 パワーユーザー向け
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
[111015/아꿈사] HTML5를 여행하는 비(非) 웹 개발자를 위한 안내서 - 1부 웹소켓.
 
Design and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management systemDesign and Implementation of Student Profile and Placement management system
Design and Implementation of Student Profile and Placement management system
 
Power Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそうPower Appsのギャラリーを使いこなそう
Power Appsのギャラリーを使いこなそう
 
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo MazzaferroRESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
RESTful Machine Learning with Flask and TensorFlow Serving - Carlo Mazzaferro
 
APEX Security 101
APEX Security 101APEX Security 101
APEX Security 101
 
Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28Neptune, the Graph Database | AWS Floor28
Neptune, the Graph Database | AWS Floor28
 
Online quiz system
Online quiz systemOnline quiz system
Online quiz system
 
Employee management system
Employee management systemEmployee management system
Employee management system
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 

Similar to Single Logout

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsJitendra Bafna
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeSuper feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeJohn Head
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksHelpSystems
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...Jitendra Bafna
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesVMware Tanzu
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseSumo Logic
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Caktus Group
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshopahmadsayed
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 

Similar to Single Logout (20)

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Real World SharePoint Debacles
Real World SharePoint DebaclesReal World SharePoint Debacles
Real World SharePoint Debacles
 
Delivering Identity at Internet Scale
Delivering Identity at Internet ScaleDelivering Identity at Internet Scale
Delivering Identity at Internet Scale
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Joomla REST API
Joomla REST APIJoomla REST API
Joomla REST API
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeSuper feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and office
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 Tasks
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshop
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
 

More from Andreas Åkre Solberg

Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Andreas Åkre Solberg
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenAndreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 

More from Andreas Åkre Solberg (20)

OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017
 
Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
 
Dataporten
DataportenDataporten
Dataporten
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Single Logout

  • 1. Single Log-Out Andreas Åkre Solberg Malaga, June 2009
  • 2. Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=23846 1 First request
  • 3. Cookies limited to domains Set-Cookie: ID=123; domain: .site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Master session IdP Session WebSSO WebSSO Session SP SP
  • 4. Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salary Extending loan WebSSO WebSSO payment. period of a book at the library. SP SP
  • 5. Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
  • 6. Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
  • 7. Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
  • 8. Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
  • 9. Local + IdP Logout Is this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active session SAML 2.0 provides protocol Active session element to distribute logout Deactivated session among entities.
  • 10. Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
  • 11. Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
  • 12. Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
  • 13. Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
  • 14. Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
  • 15. Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
  • 17. Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
  • 18. Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
  • 20. iFrame + AJAX Single Logout as provided by ble aila y Av da to
  • 21. Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
  • 22. Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!