Upload
andreas-akre-solberg
View
1.864
Download
5
Tags:
Embed Size (px)
DESCRIPTION
A Presentation on Single Logout
Citation preview
Single Log-OutAndreas Åkre Solberg
Malaga, June 2009
Sessions On Web• HTTP originally stateless • Using Cookies to keep state• Cookies in RFC2965• Set a session ID first time user visits, sent back to site for every HTTP request
BrowserSite
HTTP GET
Set-Cookie: ID=23846 BrowserCookie:
ID=23846First request
1
Subsequent req.2
Cookies limited to domainsSet-Cookie: ID=123; domain: .site.org
Cookie sessions can be on one domain only.
WebSSO protocols extend user sessions between domains.
IdPMastersession
SPSession
SPSessionWebSSO WebSSO
Consequenses of not terminating SSOLogging in to one service, and not terminating the SSO session enables access to a wide range of other services.
Users do not understand this.
IdPSP
SP
WebSSO
WebSSO
SPSP
WebSSOWebSSOExtending loan
period of a book at the library.
Financial system X. Employee salary
payment.
LogoutWhat do users do when they want to logout?
They: • Click logout, or • close the browser/tab
Close the tab???Yes, (some) people close the tab to logout.
We hired a company to perform usability testing with real-users.
Logout
Most federations does not offer any kind of logout.
What if we want to provide some kind of logout? What are our options?
Local LogoutCan the federations leave logout to the services alone? And they can provide independent local logout?
NO!
What will SSO do to you, if you click login after having logged out locally?
Local + IdP LogoutIs this a good idea?
SP1 IdPSP3
SP2
1
2
Still active session
Still active session
LogoutRequest
LogoutResponse
SAML 2.0 provides protocol element to distribute logout among entities.
Deactivated session
Active session
MyPortal.com
Local + IdP LogoutBoundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent).Therefore local + IdP logout is a «no go»!
IdPService foo
Service bar
SP1
SP2
Single Logout- as in SAML 2.0 Single Logout Profile
SP1 IdP
SP3
SP2
1
LogoutRequest
LogoutResponse
Logout is fully propagated to all services that share a session...
LogoutRequest
LogoutRequest
LogoutResponse
LogoutResponse
2 3
4
5
6
Single Logout UsabilityThere is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user.
One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
Single Logout Back-OutUsers that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP
The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
Single Logout BindingsFront-channel:• Not robust. SP2 may throw 500 internal error on user logging out from SP1.
Back-channel:• Difficult to implement for SPs, because no access to session cookie.
Single Logout SolutionOur solution:• We are using front-channel only, not stuck with back-channel complexity.• Solving the robustness problem with hidden iFrames.• Presenting the user with a list of logged in services.• Option to logout local + IdP or globally.• Good feedback to user when things fail.
Single Logout Solution
Single Logout Solution
SP2
SP3
SP1
Hidden iFrames sends front-channel LogoutRequests and
update logout status with AJAX.
Single Logout Solution
IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
LogoutResponse
LogoutResponse
LogoutResponse
Live demo!
iFrame + AJAXSingle Logout
as provided by
Available
today
Is anyone using logout?The big question!
We have had simpleSAMLphp in production in two months. Is anybody using global logout?
Let's take a look at the statistics.
Is anyone using logout?Yes! At a surprising ratio of SLO:SSO at 1:10
Ratio of SSO:SLO varies very much between Service Providers.From 0 to 1:2!
Andreas Åkre Solberghttp://rnd.feide.no