logout and misc Qs --shib idp

Steven Carmody Steven_Carmody at brown.edu
Tue Nov 6 09:33:53 EST 2012

I think everyone would agree that there's no silver bullet for the SLO 
issue; current protocols and current "standard practice" for application 
development preclude having any sort of silver bullet.

That said, I've seen a number of suggestions in this thread that strike 
me as reasonable partial steps (obviously I've just cut/pasted from 
various msgs). I'm wondering what we can do to either share work that 
we've done in these areas (as individual sites) or encourage their 
inclusion in any potential IDP 2.4 release:

1) I think a checkbox during login to bypass SSO on shared machines is a
fairly crucial feature at this point to at least allow users with clue 
to protect themselves.

2) Time permitting, we will still be looking at trying to build an 
IdP-only logout mechanism that formally clears that state using the 
standard protocol.

3) a few more samples/examples of what various institutions have done 
with an IdP-associated page to remove the IdP session and put out some 

4) USC also had an interesting approach to logging users out of some of 
the local SSO-protected apps that one might use Shib for; I don't know 
if they are still using that or not. (Russ and/or Brendan?) I know they 
had shared a sample back when Illinois was first setting up Shib for use 
with Google, and Google allowed one to register a URL to send the user 
to after logging out of GAE. That was a page presented by the IdP that 
included a number of images, with each image invoking the Logout page of 
one of their SPs. I don't think (at least at the time) that they tracked 
which of those SPs you might have invoked during your browser session, 
they just picked a set of the "most sensitive" (my 
words/characterization, not theirs!).

5) and promulgating on our campuses this more general advice:

You protect the device itself, and lock it's screen when not
in use. This also protects all local data and other applications on
the machine.. I said you've got much larger problems to worry about than 
SLO then, e.g. key loggers.

More information about the users mailing list