logout and misc Qs --shib idp

William Spooner william.spooner at eaglegenomics.com
Mon Nov 5 19:36:16 EST 2012 

On 5 Nov 2012, at 23:41, David Bantz wrote:

> On Mon, 5 Nov 2012, at 13:19 , Peter Schober <peter.schober at univie.ac.at> wrote:
> 
>> * David Bantz <dabantz at alaska.edu> [2012-11-05 19:42]:
>>> +1
>>> 
>>> I have service owners refusing to use Shibb or even backing out once
>>> integrated, citing concerns over automatic recovery of sessions.
>> 
>> -1 :)
>> 
>> ...This is blown out of proportions, IMO. There is no need whatsoever to ever log
>> out of your own personal or work PC, notebook, mobile device, tablet,
>> whatever….. you can start actually looking into the
>> remaining, limited problem cases like PC labs or kiosks. These each
>> have workarounds,…
> 
> I do not necessarily disagree that my clients / service providers are over reacting
> to unintended recovery of sessions.  The fact remains that key services decline
> or back out of Shibb-based central authN, and their absence slows general awareness
> of and acceptance of our Shibboleth services; that in turn reduces the value proposition
> for SSO if a few heavily used services are not part of it.  It even contributes to the
> continued conflation (in my local experience) of SSO with single set of credentials,
> thereby implicitly legitimizing credential relay (again, in the minds of my clients /
> service providers even if not objectively so).
> 
> It may be that I and other in this situation should just "wait out" these skeptics,
> but I hope to offer a response to this particular concern, even recognizing that
> an effective response to this concern may spur a new objection, based on 
> underlying unexpressed concerns (say, their discomfort with lack of total control
> implicit in trusted third party central authN).
> 

Interesting discussion,

Just a note to reassure you all that this issue afflicts big name SP/IdP combinations in the commercial (SaaS) world as well. I just tested Atlassian OnDemand with my Google Apps for Domains (2-factor) login. Lo and behold, the JIRA logout is 'local'; I can still access google (gmail, calendar and, erm, JIRA) unchallenged after logging out from Atlassian. In this case I believe that the onus is on the SP to inform the end user of the situation, and provide appropriate links to logout of the IdP. That may be difficult in edu-federation-land, but it would have been trivial in this case (a simple link to https://accounts.google.com/Logout).

Best,

Will

More information about the users mailing list