logout and misc Qs --shib idp

David Bantz dabantz at alaska.edu
Mon Nov 5 18:41:59 EST 2012

On Mon, 5 Nov 2012, at 13:19 , Peter Schober <peter.schober at univie.ac.at> wrote:

> * David Bantz <dabantz at alaska.edu> [2012-11-05 19:42]:
>> +1
>> I have service owners refusing to use Shibb or even backing out once
>> integrated, citing concerns over automatic recovery of sessions.
> -1 :)
>  ...This is blown out of proportions, IMO. There is no need whatsoever to ever log
> out of your own personal or work PC, notebook, mobile device, tablet,
> whatever….. you can start actually looking into the
> remaining, limited problem cases like PC labs or kiosks. These each
> have workarounds,…

I do not necessarily disagree that my clients / service providers are over reacting
to unintended recovery of sessions.  The fact remains that key services decline
or back out of Shibb-based central authN, and their absence slows general awareness
of and acceptance of our Shibboleth services; that in turn reduces the value proposition
for SSO if a few heavily used services are not part of it.  It even contributes to the
continued conflation (in my local experience) of SSO with single set of credentials,
thereby implicitly legitimizing credential relay (again, in the minds of my clients /
service providers even if not objectively so).

It may be that I and other in this situation should just "wait out" these skeptics,
but I hope to offer a response to this particular concern, even recognizing that
an effective response to this concern may spur a new objection, based on 
underlying unexpressed concerns (say, their discomfort with lack of total control
implicit in trusted third party central authN).

David Bantz

More information about the users mailing list