logout and misc Qs --shib idp

Tue Nov 6 12:27:07 EST 2012

As an FYI to the SLO topic followers:

It's been a simmering topic for awhile and I've proposed some activity on
this front at the REFEDS level a few weeks back:

https://refeds.terena.org/index.php/REFEDS_Planning_Documents_2013#Single_L
ogout

The challenge is not limited to one institution or one federation,
especially when inter federation starts getting more traction.

5 federations have indicated interest so far in somehow improving things
from today's user experience.
As the sponsor for the topic I'll try to keep current with the discussion
topics here (it's as good a place as any to have it in) and try to capture
elements or pointers to the conversation thread(s) as inputs to the
proposed work plan item.

If you have an SLO 'approach' beyond the available configurations out
there, I think it would be worthwhile posting it to the list, but if you
don't want to feel free to email me directly.  Questions or comments about
the REFEDS item are welcome as a direct email too so that we can stay
reasonably on topic in this list :)

Chris.

On 12-11-06 9:33 AM, "Steven Carmody" <Steven_Carmody at brown.edu> wrote:

>I think everyone would agree that there's no silver bullet for the SLO
>issue; current protocols and current "standard practice" for application
>development preclude having any sort of silver bullet.
>
>That said, I've seen a number of suggestions in this thread that strike
>me as reasonable partial steps (obviously I've just cut/pasted from
>various msgs). I'm wondering what we can do to either share work that
>we've done in these areas (as individual sites) or encourage their
>inclusion in any potential IDP 2.4 release:
>
>1) I think a checkbox during login to bypass SSO on shared machines is a
>fairly crucial feature at this point to at least allow users with clue
>to protect themselves.
>
>2) Time permitting, we will still be looking at trying to build an
>IdP-only logout mechanism that formally clears that state using the
>standard protocol.
>
>3) a few more samples/examples of what various institutions have done
>with an IdP-associated page to remove the IdP session and put out some
>message.
>
>4) USC also had an interesting approach to logging users out of some of
>the local SSO-protected apps that one might use Shib for; I don't know
>if they are still using that or not. (Russ and/or Brendan?) I know they
>had shared a sample back when Illinois was first setting up Shib for use
>with Google, and Google allowed one to register a URL to send the user
>to after logging out of GAE. That was a page presented by the IdP that
>included a number of images, with each image invoking the Logout page of
>one of their SPs. I don't think (at least at the time) that they tracked
>which of those SPs you might have invoked during your browser session,
>they just picked a set of the "most sensitive" (my
>words/characterization, not theirs!).
>
>5) and promulgating on our campuses this more general advice:
>
>You protect the device itself, and lock it's screen when not
>in use. This also protects all local data and other applications on
>the machine.. I said you've got much larger problems to worry about than
>SLO then, e.g. key loggers.
>
>--
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net