Logout in Single Sign-on Systems



Similar documents
Logout Support on SP and Application

Federated Identity Management and Shibboleth. Noreen Hogan Asst. Director Enterprise Admin. Applications

Single Logout. TF-EMC Vienna 17 th February Kristóf Bajnok NIIF Institute

Single Sign On. SSO & ID Management for Web and Mobile Applications

Evaluation of different Open Source Identity management Systems

SAML Security Option White Paper

SAML-Based SSO Solution

Safewhere*Identify 3.4. Release Notes

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

OpenID and identity management in consumer services on the Internet

Perceptive Experience Single Sign-On Solutions

HP Software as a Service. Federated SSO Guide

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Copyright: WhosOnLocation Limited

OpenLogin: PTA, SAML, and OAuth/OpenID

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

The Top 5 Federated Single Sign-On Scenarios

Liberty Alliance. CSRF Review. .NET Passport Review. Kerberos Review. CPSC 328 Spring 2009

Addressing threats to real-world identity management systems

Single Sign-On for the UQ Web

Using SAML for Single Sign-On in the SOA Software Platform

Shibboleth N-Tier Support. Chad La Joie

Shibboleth User Verification Customer Implementation Guide Version 3.5

Single Log-Out. Andreas Åkre Solberg Malaga, June 2009

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

HP Software as a Service

How to Implement Enterprise SAML SSO

Flexible Identity Federation

Authentication Methods

Single Sign On Integration Guide. Document version:

Using Shibboleth for Single Sign- On

CA CloudMinder. Getting Started with SSO 1.5

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

PingFederate. OpenID Cloud Identity Connector. User Guide. Version 1.1

Operating Level Agreement for NYU Login Service

SAML Authentication within Secret Server

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Identity Management: The authentic & authoritative guide for the modern enterprise

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

SAML Authentication Quick Start Guide

Toward campus portal with shibboleth middleware

OpenSSO: Simplify Your Single-Sign-On Needs. Sang Shin Java Technology Architect Sun Microsystems, inc. javapassion.com

CA SiteMinder. Federation Security Services Release Notes. r12.0 SP3

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

SAML-Based SSO Solution

Enabling SAML for Dynamic Identity Federation Management

CA Performance Center

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

SAML Authentication with BlackShield Cloud

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Analysis and Implementation of a SSO Solution for Several Web Portal

Single Sign-On: Reviewing the Field

The increasing popularity of mobile devices is rapidly changing how and where we

Egnyte Single Sign-On (SSO) Installation for OneLogin

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Federated Identity for Cloud Computing and Cross-organization Collaboration

Identity Server Guide Access Manager 4.0

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

WebNow Single Sign-On Solutions

Federated Identity Management Solutions

From centralized to single sign on

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Getting Started with AD/LDAP SSO

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

Connected Data. Connected Data requirements for SSO

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

QR-SSO : Towards a QR-Code based Single Sign-On system

PingFederate. Identity Menu Builder. User Guide. Version 1.0

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Identity. Provide. ...to Office 365 & Beyond

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Administering Jive Mobile Apps

Enhancing Web Application Security

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

TrustedX: eidas Platform

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

PARTNER INTEGRATION GUIDE. Edition 1.0

Federated Identity Management

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

The Challenges of Web single sign-on

Web Based Single Sign-On and Access Control

IGI Portal architecture and interaction with a CA- online

Transcription:

Logout in Single Sign-on Systems Sanna Suoranta, Asko Tontti, Joonas Ruuskanen, Tuomas Aura IFIP IDMAN, London, UK, 8-9.4.2013

Logout in Single Sign-on Systems Motivation Single sign-on (SSO) systems SSO in Finnish universities Logout in single sign-on systems Problems in practice Suggestions for solution

Motivation Single Sign-on reduces the number of passwords user needs Identity Provider authenticates the user on behalf of services If services are used with a shared computer, logging out is essential, or otherwise a next user of the computer can get in to the services with previous user s privileges Not only the used service but also all other services that use the same SSO authentication Logout is important part of authentication session in cases where timeout is not enough

Single Sign-on Systems OpenID open federation Several widely used services such as Google and Yahoo provides OpenID identities to services But anyone can create an OpenID account without verification of identity Shibboleth (based on SAML) Software freely available But requires forming of a federation for cross-organizational SSO Facebook Connect and other similar services offer authentication Centralized authentication for third party applications available

Single Sign-on Service 1) Service request 8) Service response 7) Service and SP sessions created 2) Redirect to IdP 6) Redirect to SP (Service) SP software Web Server of the Service Provider (SP) 3) Authentication challenge 4) Authentication response 5) SSO session created Identity Provider (IdP)

Single Sign-on at Aalto University In Finland, universities have formed a federation called HAKA; and that is joint together with Nordic SSO federation Shibboleth SSO is used to authenticate both staff and students CSC IT Center for Science operates the HAKA federation and provides the metadata files needed Each university has its own identity provider Some services are common (e.g. library service Nelli), Others are university specific (e.g. study register Oodi that is used by half of the Finnish universities). Moreover, any new service can added to be used within the federation (e.g. CSE department s own service where students return their assignments)

Logout in SSO Service session usually ends either when user logs out or a timeout logs her out Logout in SSO systems is not so straightforward where the user logs out? Only from the service at hand From all services belonging to the same federation and form the Identity Provider (== global logout, single logout) From the service at hand and the IdP, without ending other service sessions

Logout in SSO in practice In practice, logout in SSO system can lead to several outcomes: Logout in the service application Logout in service provider (SP) service side logout Local logout logout in the service and SP Logout in identity provider (IdP) Local logout with IdP logout Global logout (single logout) Requires that IdP know to which SPs the user has logged in Partial logout Error situation where some sessions remain active

Logout Problems User does not know where she has logged out Architectural knowledge of SSO is required to understand logout Expectations affects: does the user want to log out from a single service or from all services? Implementation problems in service side Either service s own session or SP s session is left behind either one is enough to let user back in Cookie management If user really want to log out, she has to close the web browser

Logout in SSO in Practice at Aalto Logout in practice Consequence Example Only service session removed SP session removed but service session remains You have been succesfully logged out Local logout with IdP logout Choosing between local and IdP logout SP session allows user to get back in Service session allows user to get back in, no possibility to contact IdP From where? If local logout, user can get back in because IdP session is still active Other services are still active but new services require reauthentication Allows user to decide but requires knowledge of SSO Oodi (study register) Nelli (library service) Wiki (all kind of groups) Noppa (course information)

What users want today? Linden et al. (2005) claim that users of SSO want Single Logout (SLO) However, SSO was new in those days and users were not familiar with the concept Shared computers in libraries should still execute SLO Unclear if this is the case today Users today are more familiar with SSO Users have personal devices such as smart phones and typing in credentials again after logout can be annoying

Suggested Solutions Unified and standardized process for ending sessions E.g. order of removing the sessions Improving the cookie management in browsers Ending the sessions without closing the browser Allowing the IdP to access SP and service cookies Creating a mechanism to check the existence of an IdP session SPs should be able to poll IdP to check if the IdP session is still active Unified user interface for logout Federation should give guidelines for UI and its terminology

Questions? Sanna.Suoranta@aalto.fi, Asko.Tontti@csc.fi, Joonas.Ruuskanen@aalto.fi, Tuomas.Aura@aalto.fi

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information