Single Log-OutAndreas Åkre Solberg

Malaga, June 2009

Sessions On Web• HTTP originally stateless • Using Cookies to keep state• Cookies in RFC2965• Set a session ID first time user visits, sent back to site for every HTTP request

BrowserSite

HTTP GET

Set-Cookie: ID=23846 BrowserCookie:

ID=23846First request

1

Subsequent req.2

Cookies limited to domainsSet-Cookie: ID=123; domain: .site.org

Cookie sessions can be on one domain only.

WebSSO protocols extend user sessions between domains.

IdPMastersession

SPSession

SPSessionWebSSO WebSSO

Consequenses of not terminating SSOLogging in to one service, and not terminating the SSO session enables access to a wide range of other services.

Users do not understand this.

IdPSP

SP

WebSSO

WebSSO

SPSP

WebSSOWebSSOExtending loan

period of a book at the library.

Financial system X. Employee salary

payment.

LogoutWhat do users do when they want to logout?

They: • Click logout, or • close the browser/tab

Close the tab???Yes, (some) people close the tab to logout.

We hired a company to perform usability testing with real-users.

Logout

Most federations does not offer any kind of logout.

What if we want to provide some kind of logout? What are our options?

Local LogoutCan the federations leave logout to the services alone? And they can provide independent local logout?

NO!

What will SSO do to you, if you click login after having logged out locally?

Local + IdP LogoutIs this a good idea?

SP1 IdPSP3

SP2

1

2

Still active session

Still active session

LogoutRequest

LogoutResponse

SAML 2.0 provides protocol element to distribute logout among entities.

Deactivated session

Active session

MyPortal.com

Local + IdP LogoutBoundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent).Therefore local + IdP logout is a «no go»!

IdPService foo

Service bar

SP1

SP2

Single Logout- as in SAML 2.0 Single Logout Profile

SP1 IdP

SP3

SP2

1

LogoutRequest

LogoutResponse

Logout is fully propagated to all services that share a session...

LogoutRequest

LogoutRequest

LogoutResponse

LogoutResponse

2 3

4

5

6

Single Logout UsabilityThere is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user.

One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.

Single Logout Back-OutUsers that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP

The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.

Single Logout BindingsFront-channel:• Not robust. SP2 may throw 500 internal error on user logging out from SP1.

Back-channel:• Difficult to implement for SPs, because no access to session cookie.

Single Logout SolutionOur solution:• We are using front-channel only, not stuck with back-channel complexity.• Solving the robustness problem with hidden iFrames.• Presenting the user with a list of logged in services.• Option to logout local + IdP or globally.• Good feedback to user when things fail.

Single Logout Solution

Single Logout Solution

SP2

SP3

SP1

Hidden iFrames sends front-channel LogoutRequests and

update logout status with AJAX.

Single Logout Solution

IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.

LogoutResponse

LogoutResponse

LogoutResponse

Live demo!

iFrame + AJAXSingle Logout

as provided by

Available

today

Is anyone using logout?The big question!

We have had simpleSAMLphp in production in two months. Is anybody using global logout?

Let's take a look at the statistics.

Is anyone using logout?Yes! At a surprising ratio of SLO:SSO at 1:10

Ratio of SSO:SLO varies very much between Service Providers.From 0 to 1:2!

Andreas Åkre Solberghttp://rnd.feide.no