logout and misc Qs --shib idp

David Langenberg davel at uchicago.edu
Mon Nov 5 17:35:34 EST 2012

On Mon, Nov 5, 2012 at 3:19 PM, Peter Schober
<peter.schober at univie.ac.at> wrote:
> * David Bantz <dabantz at alaska.edu> [2012-11-05 19:42]:
>> +1
>> I have service owners refusing to use Shibb or even backing out once
>> integrated, citing concerns over automatic recovery of sessions.
> -1 :)


> Once you accept this you can start actually looking into the
> remaining, limited problem cases like PC labs or kiosks. These each
> have workarounds, e.g. for kiosks you can put a logout button on the
> screen (or browser) that clears all cookies or terminates the GUI
> session (taking all state with it). Kiosks are by defintion heavily
> customized and tightly controlled, so that shouldn't be an additional
> problem. Placing signs next to the computer that people are
> responsible for their own data etc. might increase chances of logout.
> Then there's the case of the "untrustworthy internet cafe" which does
> not allow to clear the state (or any other precaution or
> workaround). Well, missing logout should be the least of your worries
> on such devices, so we generally recommend to not use these machines
> with enterprise credentials /at all/. These types of machines (and use
> of this argument) get fewer over the years anyway with the advent of
> personal (and more) mobile computing.

Two problems with the above scenarios.  The kiosk problem wave-off
naively assumes that those running the shibboleth service have the
ability to directly and strongly influence configuration of said
kiosks.  Now, granted, for kiosks managed by central IT, yes, piece of
cake.  For kiosks managed by other entities around campus though, the
best we can do is ask nicely and the results are always piecemeal.
The internet cafe problem you also can't just hand-wave away.  Yes, in
much of the world it's not a problem to BYOD, however, there is still
a not-insignificant population of user out there who when working in
the field in some 3rd world area needs to occasionally access
enterprise resources with enterprise credentials from an un-trustable


David Langenberg
Identity & Access Management
The University of Chicago

More information about the users mailing list