IdpSession Logout Problems

[Christopher Bongaarts]

On 10/28/2011 2:02 PM, Cantor, Scott wrote:
> On 10/28/11 2:28 PM, "Skylar Hansen"<shansen at randolphcollege.edu>  wrote:
>
>> I worry in the long term, once these weaknesses are noticed by users -
>> that credibility would become even more damaged than it would without
>> logout in the first place.
>
> That's the main reason we haven't shipped a trivial IdP logout
> implementation that does a hardwired "partial" logout by just dropping the
> IdP session.

FWIW, the requirement we have heard loud and clear is simple:  "screw 
the other apps, I need a way to make it so the user can 'log out' such 
that they have to reauthenticate to get into MY app".  This is a natural 
result of having application responsibility spread among multiple people 
(more cynically, it's multiple instances of CYA).

So we had to implement the IdP session killing technique on our own, 
which is not elegant but does have the advantage of being understandable 
to users (you can have them land on a page that says "you just logged 
out of X, but you may still be logged in to lots of other things."  (We 
also, as a short term fix, shortened our session lifetime to 5 minutes 
for our current system that uses our local SSO system for login - apps 
can have the user log out of our local SSO, which uses a shared cookie 
mechanism so SLO is actually useful, but the IdP session was still 
catching them).

For the public terminal case, this actually devolves into the "user 
switching" problem - 99% of the time, User B doesn't care about messing 
with User A's still-logged-in session, B just wants to register for 
their classes or whatever.  And they can't if there's no way to switch 
users.
-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%