SlideShare ist ein Scribd-Unternehmen logo

Single Logout

Andreas Åkre Solberg
Andreas Åkre Solberg

A Presentation on Single Logout

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Single Log-Out Andreas Åkre Solberg Malaga, June 2009
Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=23846 1 First request
Cookies limited to domains Set-Cookie: ID=123; domain: .site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Master session IdP Session WebSSO WebSSO Session SP SP
Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salary Extending loan WebSSO WebSSO payment. period of a book at the library. SP SP
Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
Local + IdP Logout Is this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active session SAML 2.0 provides protocol Active session element to distribute logout Deactivated session among entities.
Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
Single Logout Solution
Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
Live demo!
iFrame + AJAX Single Logout as provided by ble aila y Av da to
Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!
Andreas Åkre Solberg http://rnd.feide.no

Empfohlen

Machine Learning for retail and ecommerce
Machine Learning for retail and ecommerceMachine Learning for retail and ecommerce
Machine Learning for retail and ecommerceAndrei Lopatenko
 
Recommender Systems: Advances in Collaborative Filtering
Recommender Systems: Advances in Collaborative FilteringRecommender Systems: Advances in Collaborative Filtering
Recommender Systems: Advances in Collaborative FilteringChangsung Moon
 
University Student Payment System ( USPS )
University Student Payment System ( USPS )University Student Payment System ( USPS )
University Student Payment System ( USPS )Md.Mojibul Hoque
 
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to know
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to knowCAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to know
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to knowFulcrumTech
 
Black Hat SEO (The Complete Guide) - Chase Reiner
Black Hat SEO (The Complete Guide) - Chase ReinerBlack Hat SEO (The Complete Guide) - Chase Reiner
Black Hat SEO (The Complete Guide) - Chase ReinerChase Reiner
 
clickstream analysis
clickstream analysis clickstream analysis
clickstream analysisERSHUBHAM TIWARI
 
Amazon: Marketplace - Start Selling Online
Amazon: Marketplace - Start Selling OnlineAmazon: Marketplace - Start Selling Online
Amazon: Marketplace - Start Selling OnlineeTailing India
 
online grocery store
online grocery storeonline grocery store
online grocery storeharshad_shah
 

Empfohlen

Machine Learning for retail and ecommerce
Machine Learning for retail and ecommerceMachine Learning for retail and ecommerce
Machine Learning for retail and ecommerceAndrei Lopatenko
 
Recommender Systems: Advances in Collaborative Filtering
Recommender Systems: Advances in Collaborative FilteringRecommender Systems: Advances in Collaborative Filtering
Recommender Systems: Advances in Collaborative FilteringChangsung Moon
 
University Student Payment System ( USPS )
University Student Payment System ( USPS )University Student Payment System ( USPS )
University Student Payment System ( USPS )Md.Mojibul Hoque
 
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to know
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to knowCAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to know
CAN-SPAM Act of 2003: Email Marketing and SPAM - What you need to knowFulcrumTech
 
Black Hat SEO (The Complete Guide) - Chase Reiner
Black Hat SEO (The Complete Guide) - Chase ReinerBlack Hat SEO (The Complete Guide) - Chase Reiner
Black Hat SEO (The Complete Guide) - Chase ReinerChase Reiner
 
clickstream analysis
clickstream analysis clickstream analysis
clickstream analysisERSHUBHAM TIWARI
 
Amazon: Marketplace - Start Selling Online
Amazon: Marketplace - Start Selling OnlineAmazon: Marketplace - Start Selling Online
Amazon: Marketplace - Start Selling OnlineeTailing India
 
online grocery store
online grocery storeonline grocery store
online grocery storeharshad_shah
 
Can Spam Act
Can Spam ActCan Spam Act
Can Spam ActEmail Delivered
 
Online shopping system (E-commerce)
Online shopping system (E-commerce)Online shopping system (E-commerce)
Online shopping system (E-commerce)Sarp Infotech
 
Seo presentation
Seo presentationSeo presentation
Seo presentationtravel_affair
 
Instacart Market Basket Analysis
Instacart Market Basket AnalysisInstacart Market Basket Analysis
Instacart Market Basket AnalysisSharanya Prathap
 
WordPress for Education PPT
WordPress for Education PPTWordPress for Education PPT
WordPress for Education PPTjekkilekki
 
Library Management System - LMS
Library Management System - LMSLibrary Management System - LMS
Library Management System - LMSHasibul Haque Hira
 
Project report-482
Project report-482Project report-482
Project report-482SaidurRahmanSabbir1
 
e-conomy SEA by Google and Temasek
e-conomy SEA by Google and Temaseke-conomy SEA by Google and Temasek
e-conomy SEA by Google and TemasekeconomySEA
 
KIBRU FIKADU
KIBRU FIKADUKIBRU FIKADU
KIBRU FIKADUkibiru Fekadu
 
On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022Stephen Fraga
 
302 principles of keywords and optimisation
302 principles of keywords and optimisation302 principles of keywords and optimisation
302 principles of keywords and optimisationcaitlin house
 
An Introduction to Web Analytics
An Introduction to Web AnalyticsAn Introduction to Web Analytics
An Introduction to Web Analyticsiexpertsforum
 
Interviewing People with Disabilities
Interviewing People with DisabilitiesInterviewing People with Disabilities
Interviewing People with Disabilitieskeithhosey
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPressHarshad Mane
 
Download Advance digital marketing course
Download Advance digital marketing courseDownload Advance digital marketing course
Download Advance digital marketing courseMukulTaneja13
 
Core Concepts of Paid Search Marketing
Core Concepts of Paid Search MarketingCore Concepts of Paid Search Marketing
Core Concepts of Paid Search MarketingStukent Inc.
 
SEO Tutorial
SEO TutorialSEO Tutorial
SEO TutorialRyzeUp Internet Marketing
 
Monthly Web Analytics Report
Monthly Web Analytics ReportMonthly Web Analytics Report
Monthly Web Analytics ReportMark Kegley
 
13 02-13 Dissertation
13 02-13 Dissertation13 02-13 Dissertation
13 02-13 DissertationXinmeng Li
 
Digital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher KhanDigital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher KhanShamsher Khan
 
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsJitendra Bafna
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 

Weitere ähnliche Inhalte

Was ist angesagt?

Online shopping system (E-commerce)
Online shopping system (E-commerce)Online shopping system (E-commerce)
Online shopping system (E-commerce)Sarp Infotech
 
Instacart Market Basket Analysis
Instacart Market Basket AnalysisInstacart Market Basket Analysis
Instacart Market Basket AnalysisSharanya Prathap
 
WordPress for Education PPT
WordPress for Education PPTWordPress for Education PPT
WordPress for Education PPTjekkilekki
 
Library Management System - LMS
Library Management System - LMSLibrary Management System - LMS
Library Management System - LMSHasibul Haque Hira
 
e-conomy SEA by Google and Temasek
e-conomy SEA by Google and Temaseke-conomy SEA by Google and Temasek
e-conomy SEA by Google and TemasekeconomySEA
 
On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022Stephen Fraga
 
302 principles of keywords and optimisation
302 principles of keywords and optimisation302 principles of keywords and optimisation
302 principles of keywords and optimisationcaitlin house
 
An Introduction to Web Analytics
An Introduction to Web AnalyticsAn Introduction to Web Analytics
An Introduction to Web Analyticsiexpertsforum
 
Interviewing People with Disabilities
Interviewing People with DisabilitiesInterviewing People with Disabilities
Interviewing People with Disabilitieskeithhosey
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPressHarshad Mane
 
Download Advance digital marketing course
Download Advance digital marketing courseDownload Advance digital marketing course
Download Advance digital marketing courseMukulTaneja13
 
Core Concepts of Paid Search Marketing
Core Concepts of Paid Search MarketingCore Concepts of Paid Search Marketing
Core Concepts of Paid Search MarketingStukent Inc.
 
Monthly Web Analytics Report
Monthly Web Analytics ReportMonthly Web Analytics Report
Monthly Web Analytics ReportMark Kegley
 
13 02-13 Dissertation
13 02-13 Dissertation13 02-13 Dissertation
13 02-13 DissertationXinmeng Li
 
Digital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher KhanDigital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher KhanShamsher Khan
 

Was ist angesagt? (20)

Can Spam Act
Can Spam ActCan Spam Act
Can Spam Act
 
Online shopping system (E-commerce)
Online shopping system (E-commerce)Online shopping system (E-commerce)
Online shopping system (E-commerce)
 
Seo presentation
Seo presentationSeo presentation
Seo presentation
 
Instacart Market Basket Analysis
Instacart Market Basket AnalysisInstacart Market Basket Analysis
Instacart Market Basket Analysis
 
WordPress for Education PPT
WordPress for Education PPTWordPress for Education PPT
WordPress for Education PPT
 
Library Management System - LMS
Library Management System - LMSLibrary Management System - LMS
Library Management System - LMS
 
Project report-482
Project report-482Project report-482
Project report-482
 
e-conomy SEA by Google and Temasek
e-conomy SEA by Google and Temaseke-conomy SEA by Google and Temasek
e-conomy SEA by Google and Temasek
 
KIBRU FIKADU
KIBRU FIKADUKIBRU FIKADU
KIBRU FIKADU
 
On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022On-Page SEO Techniques for 2022
On-Page SEO Techniques for 2022
 
302 principles of keywords and optimisation
302 principles of keywords and optimisation302 principles of keywords and optimisation
302 principles of keywords and optimisation
 
An Introduction to Web Analytics
An Introduction to Web AnalyticsAn Introduction to Web Analytics
An Introduction to Web Analytics
 
Interviewing People with Disabilities
Interviewing People with DisabilitiesInterviewing People with Disabilities
Interviewing People with Disabilities
 
Introduction to WordPress
Introduction to WordPressIntroduction to WordPress
Introduction to WordPress
 
Download Advance digital marketing course
Download Advance digital marketing courseDownload Advance digital marketing course
Download Advance digital marketing course
 
Core Concepts of Paid Search Marketing
Core Concepts of Paid Search MarketingCore Concepts of Paid Search Marketing
Core Concepts of Paid Search Marketing
 
SEO Tutorial
SEO TutorialSEO Tutorial
SEO Tutorial
 
Monthly Web Analytics Report
Monthly Web Analytics ReportMonthly Web Analytics Report
Monthly Web Analytics Report
 
13 02-13 Dissertation
13 02-13 Dissertation13 02-13 Dissertation
13 02-13 Dissertation
 
Digital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher KhanDigital Marketing Workshop Presentation (PPT) by Shamsher Khan
Digital Marketing Workshop Presentation (PPT) by Shamsher Khan
 

Ähnlich wie Single Logout

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsJitendra Bafna
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeSuper feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeJohn Head
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksHelpSystems
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...Jitendra Bafna
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesVMware Tanzu
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseSumo Logic
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Caktus Group
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshopahmadsayed
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 

Ähnlich wie Single Logout (20)

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Real World SharePoint Debacles
Real World SharePoint DebaclesReal World SharePoint Debacles
Real World SharePoint Debacles
 
Delivering Identity at Internet Scale
Delivering Identity at Internet ScaleDelivering Identity at Internet Scale
Delivering Identity at Internet Scale
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Joomla REST API
Joomla REST APIJoomla REST API
Joomla REST API
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeSuper feats of integration x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and office
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 Tasks
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshop
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
 

Mehr von Andreas Åkre Solberg

Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Andreas Åkre Solberg
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenAndreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 

Mehr von Andreas Åkre Solberg (20)

OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017
 
Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
 
Dataporten
DataportenDataporten
Dataporten
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
 
Feide connect tnc2014
Feide connect tnc2014Feide connect tnc2014
Feide connect tnc2014
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 

Kürzlich hochgeladen

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Kürzlich hochgeladen (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Single Logout

  • 1. Single Log-Out Andreas Åkre Solberg Malaga, June 2009
  • 2. Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=23846 1 First request
  • 3. Cookies limited to domains Set-Cookie: ID=123; domain: .site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Master session IdP Session WebSSO WebSSO Session SP SP
  • 4. Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salary Extending loan WebSSO WebSSO payment. period of a book at the library. SP SP
  • 5. Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
  • 6. Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
  • 7. Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
  • 8. Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
  • 9. Local + IdP Logout Is this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active session SAML 2.0 provides protocol Active session element to distribute logout Deactivated session among entities.
  • 10. Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
  • 11. Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
  • 12. Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
  • 13. Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
  • 14. Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
  • 15. Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
  • 17. Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
  • 18. Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
  • 20. iFrame + AJAX Single Logout as provided by ble aila y Av da to
  • 21. Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
  • 22. Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!