logout and misc Qs --shib idp

[Peter Schober]

* David Bantz <dabantz at alaska.edu> [2012-11-05 19:42]:
> +1
> 
> I have service owners refusing to use Shibb or even backing out once
> integrated, citing concerns over automatic recovery of sessions.

-1 :)

Lack of SLO is not the universal problem people assume it is. This is
blown out of proportions, IMO. There is no need whatsoever to ever log
out of your own personal or work PC, notebook, mobile device, tablet,
whatever. You protect the device itself, and lock it's screen when not
in use. This also protects all local data and other applications on
the machine.
Sometimes you might want to allow someone else to use it, so start a
"private browsing"/"incognito" instance of your browser for them.
Same when you need to work on someone else's device. After use close
the "incognito" window and the associated state is gone.

Once you accept this you can start actually looking into the
remaining, limited problem cases like PC labs or kiosks. These each
have workarounds, e.g. for kiosks you can put a logout button on the
screen (or browser) that clears all cookies or terminates the GUI
session (taking all state with it). Kiosks are by defintion heavily
customized and tightly controlled, so that shouldn't be an additional
problem. Placing signs next to the computer that people are
responsible for their own data etc. might increase chances of logout.

Then there's the case of the "untrustworthy internet cafe" which does
not allow to clear the state (or any other precaution or
workaround). Well, missing logout should be the least of your worries
on such devices, so we generally recommend to not use these machines
with enterprise credentials /at all/. These types of machines (and use
of this argument) get fewer over the years anyway with the advent of
personal (and more) mobile computing.
-peter