Single Log-Out Andreas Åkre Solberg Malaga, June 2009
Sessions On Web HTTP originally stateless Using Cookies to keep state Cookies in RFC2965 Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET 1 Browser First request Set-Cookie: ID=23846 Site Cookie: ID=23846 2 Browser Subsequent req.
Cookies limited to domains Set-Cookie: ID=123; domain:.site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Session SP WebSSO IdP Master session WebSSO SP Session
Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP Extending loan period of a book at the library. WebSSO IdP WebSSO SP WebSSO WebSSO SP SP Financial system X. Employee salary payment.
Logout What do users do when they want to logout? They: Click logout, or close the browser/tab
Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
Local + IdP Logout Is this a good idea? SP2 Still active session SP1 1 LogoutRequest 2 IdP SP3 LogoutResponse Still active session SAML 2.0 provides protocol element to distribute logout among entities. Active session Deactivated session
Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo Service bar SP1 SP2 IdP
Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 SP1 1 LogoutRequest 6 IdP 4 LogoutResponse LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
Single Logout Bindings Front-channel: Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: Difficult to implement for SPs, because no access to session cookie.
Single Logout Solution Our solution: We are using front-channel only, not stuck with back-channel complexity. Solving the robustness problem with hidden iframes. Presenting the user with a list of logged in services. Option to logout local + IdP or globally. Good feedback to user when things fail.
Single Logout Solution
Single Logout Solution SP1 SP2 SP3 Hidden iframes sends front-channel LogoutRequests and update logout status with AJAX.
Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
Live demo!
iframe + AJAX Single Logout as provided by Available today
Is anyone using logout? The big question! We have had simplesamlphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!
Andreas Åkre Solberg http://rnd.feide.no