logout and misc Qs --shib idp

Steven Carmody Steven_Carmody at brown.edu
Mon Nov 5 17:14:39 EST 2012

On 11/5/12 4:39 PM, Cantor, Scott wrote:
>> I believe there's also a version of the IDP page that asks the user
>> whether or not they want to destroy the session at the IDP.
>> Would an approach like this address concerns from these SP operators ?
> When they say yes, they're usually confused. They're thinking "sure, if
> you logout of *me*, then I'm safe". But then you point out "what if they
> log out of somebody else's app?" and they realize they're not getting
> anything.
> And then, there's the problem of what you're supposed to say when this
> process is done.
> That's why Chad and I spent years going back and forth over whether it's a
> good idea or not, and mostly sidestepped it because it's trivial to build
> in a CGI script so people could decide for themselves.

agreed -- there's no good answer to the "logout problem".

what I'm hearing, tho, both locally and on this list, is that for some 
SPs some form of logout is now more important than SSO.

So we've deployed a page that SPs can use which kills the IDP session. 
Always and completely. Users get no question or choice. This is not a 
panacea. But, it seems to satisfy the SPs (even when they understand its 

More information about the users mailing list