logout and misc Qs --shib idp

David Langenberg davel at uchicago.edu
Mon Nov 5 18:06:49 EST 2012

On Mon, Nov 5, 2012 at 3:51 PM, Peter Schober
<peter.schober at univie.ac.at> wrote:
> * David Langenberg <davel at uchicago.edu> [2012-11-05 23:35]:


>> The internet cafe problem you also can't just hand-wave away.  Yes, in
>> much of the world it's not a problem to BYOD, however, there is still
>> a not-insignificant population of user out there who when working in
>> the field in some 3rd world area needs to occasionally access
>> enterprise resources with enterprise credentials from an un-trustable
>> computer.
> I didn't say it's not a problem. I said you've got much larger
> problems to worry about than SLO then, e.g. key loggers.
> (Unless you deployed OTP systems which also work under these
> conditions, maybe.)

Very true, I can't control the key-loggers in un-trustable machines.
However, key-loggers exist even in the trustable space.  OTP /
2-Factor can assist with mitigating that risk, however, even after
using OTP, you still have the desire by the SPs to have a logout mech.
 The SPs see logout as something they (through me as the IdP) can
control and use for risk-mitigation just like requesting 2-factor or
Silver assurance.  Now, I'm not saying we need SLO (though it would be
nice).  The SPs who raise objections, I've found, are really really
selfish and don't care about existing sessions on other sites.  They
just want to ensure that the user is out of their system & can't get
back in.  I've promoted forceAuthn as a work-around, but we all know
that's got it's own problems.

As some have pointed out, I have docs demonstrating the cookie kill
logout, but cannot use that until Shibboleth ships a logout.jsp with
it in there.


David Langenberg
Identity & Access Management
The University of Chicago

More information about the users mailing list