logout Qs --shib idp

David Bantz dabantz at Alaska.edu
Fri Nov 9 16:27:48 EST 2012


Granted that there is no really great solution to respond to the varied and sometimes contradictory requirements of services and users, I'd nevertheless beg for your suggested improvements to the following local practice:

(1) We do have a link in our IdP which services could (re-)direct a browser that destroys the IdP SSO session cookie.

(2) That link can optionally re-direct again to any landing page (that is, back at the service, or to a generic 'SSO session ended' page, or…).

For SPs that ask us to provide a "logout URL" the user experience is:

1. "Logout" in the SP
2. re-direct to a page that states:
> You have been logged out of Faculty180.
> 

> You can log in again at the  Faculty180 web site for UAF.
> 

> Your current Single-Sign-On (SSO) session is still active
> 

> An SSO session was established when you entered your credentials at UA. SSO enables you to authenticate to (log in to) Faculty180 and other sites that rely on UA's privacy-preserving SSO (those services never see your password). Examples include  UAF library resources,  Atomic Learning, Educause,  UA Alerts Portal, and others.
> 

> Removing Your Single-Sign-On session
> 

> You can end your SSO session by clicking on the link below; this will force authentication (require entry of credentials) for subsequent services that would otherwise rely on your existing SSO session. Removing your SSO session does NOT log you out of any services to which you are currently authenticated. 
> 

> -> End My Current UA SSO Session
> 

> Risks of data cached in your browser:
> 

> If the computer/tablet/phone you are using is shared with others, and you wish to limit the risk that others will be able to view or use information that may be cached in your web browser, you can reduce (but not eliminate) such risk by the following practices.
> 

> Use browsers' "private browsing" option to limit sharing or storing information outside the browser window.
> Explicitly log out of all web sites; do not rely solely on closing the browser or browser window.
> Never take up the browser's suggestion to save passwords or "remember me," as that may enable others to log in as you!
> Explicitly clear the cookies and caches in your browser (brief directions for common browsers are below).
> Close (exit) the browser.

3.  If the user chooses the link to "End…SSO", the IdP cookie is destroyed and the browser re-directed to display:

> Your UA Single-Sign-On session has been terminated
> 

> This will force authentication (require entry of credentials) for subsequent services that would otherwise rely on your existing SSO session. Removing your SSO session does NOT log you out of any individual services to which you are currently authenticated (logged in).
> 

> Risks of data cached in your browser:
> 

> If the computer/tablet/phone you are using is shared with others, and you wish to limit the risk that others will be able to view or use information that may be cached in your web browser, you can reduce (but not eliminate) such risk by the following practices.
> 

> Use browsers' "private browsing" option to limit sharing or storing information outside the browser window.
> Explicitly log out of all web sites; do not rely solely on closing the browser or browser window.
> Never take up the browser's suggestion to save passwords or "remember me," as that may enable others to log in as you!
> Explicitly clear the cookies and caches in your browser (brief directions for common browsers are below).
> Close (exit) the browser.

			


On Thu, 8 Nov 2012, at 13:35 , Jim Fox <fox at washington.edu> wrote:

> 
> Correct.  We need to add more detailed instructions.
> 
> Jim
> 
> 
> On Thu, 8 Nov 2012, David Bantz wrote:
> 
>> Date: Thu, 8 Nov 2012 14:26:30 -0800
>> From: David Bantz <dabantz at Alaska.edu>
>> To: Shib Users <users at shibboleth.net>
>> Reply-To: Shib Users <users at shibboleth.net>
>> Subject: Re: logout and misc Qs --shib idp
>> But as we're seeing some browsers save cookie and browsing data, then "helpfully" auto-re-connect on the next browser launch unless the browser is
>> explicitly configured not to do so; perhaps yet another sentence is needed to so inform users.
>> David Bantz
>> UA OIT IAM
>> On Thu, 8 Nov 2012, at 12:35 , Jim Fox <fox at washington.edu> wrote:
>> 
>>        To protect your privacy and prevent unauthorized use, completely exit
>>        your Web browser when you are finished browsing. ...
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121109/25e7df51/attachment.html 


More information about the users mailing list