SlideShare una empresa de Scribd logo
1 de 23
Descargar para leer sin conexión
Single Log-Out
  Andreas Åkre Solberg
   Malaga, June 2009
Sessions On Web
       • HTTP originally stateless
       • Using Cookies to keep state
       • Cookies in RFC2965
       • Set a session ID first time user visits,
       sent back to site for every HTTP request
              HTTP GET
    Browser
                                                       2
                                   Site                    Subsequent req.
                     Set-Cookie:
                      ID=23846             Cookie:   Browser
                                          ID=23846
1
     First request
Cookies limited to domains
   Set-Cookie: ID=123; domain: .site.org


Cookie sessions can be on one domain only.

WebSSO protocols extend user sessions
between domains.
                               Master
                               session
                         IdP
 Session        WebSSO                   WebSSO
                                                       Session
           SP                                     SP
Consequenses of not terminating SSO
 Logging in to one service, and not terminating the SSO
 session enables access to a wide range of other services.

 Users do not understand this.
                                                         SP
                                         WebSSO

                   WebSSO   IdP                   Financial system X.
      SP
                                                   Employee salary
Extending loan              WebSSO
                                      WebSSO           payment.
period of a book
at the library.
                                                   SP
                                 SP
Logout
 What do users do when they want to
 logout?

 They:
 • Click logout, or
 • close the browser/tab
Close the tab???
 Yes, (some) people close the tab to
 logout.




 We hired a company to perform usability
 testing with real-users.
Logout

 Most federations does not offer any kind
 of logout.

 What if we want to provide some kind of
 logout? What are our options?
Local Logout
 Can the federations leave logout to the
 services alone? And they can provide
 independent local logout?

 NO!

 What will SSO do to you, if you click
 login after having logged out locally?
Local + IdP Logout
Is this a good idea?
                                                     SP2
                                                    Still active session
                  LogoutRequest


                                      IdP
              1


       SP1                        2                  SP3
             LogoutResponse
                                                   Still active session




SAML 2.0 provides protocol                  Active session
element to distribute logout                Deactivated session
among entities.
Local + IdP Logout
 Boundaries between SPs is washed-out
 with SSO. The user can never know
 exactly which services she is logged into
 (because SSO is transparent).
 Therefore local + IdP logout is a «no go»!
   MyPortal.com

     Service foo   SP1   IdP
     Service bar   SP2
Single Logout
- as in SAML 2.0 Single Logout Profile


                                                LogoutRequest
                                                                        SP2
                                        2                           3


                                                      LogoutResponse
                  LogoutRequest


                                      IdP
             1


       SP1                        6
                                                 4
                                                     LogoutRequest

             LogoutResponse


                                            LogoutResponse
                                                                5
                                                                        SP3
Logout is fully propagated
to all services that share a
session...
Single Logout Usability
 There is no way to get the user to
 understand what is going on with SLO,
 without being extremely clear and
 excplicit. Because users generally do not understand fully
 SSO, there is no common intuitive understanding of what SLO will
 do. It differs from user to user.

 One of the things we tried:
 Naming the button 'Global logout' is not making
 it any easier for the user.
Single Logout Back-Out
Users that are in the middle of an important
transaction at SP2, will not like if it is
interrupted when they logout from SP1.
- Real-life example:
Requirement from an financial system SP

The user should be told which servers she
is logged on-to, and asked whether she
wants to log out from all of them.
Single Logout Bindings
 Front-channel:
 • Not robust. SP2 may throw 500 internal
 error on user logging out from SP1.

 Back-channel:
 • Difficult to implement for SPs, because
 no access to session cookie.
Single Logout Solution
 Our solution:
 • We are using front-channel only, not
 stuck with back-channel complexity.
 • Solving the robustness problem with
 hidden iFrames.
 • Presenting the user with a list of logged
 in services.
 • Option to logout local + IdP or globally.
 • Good feedback to user when things fail.
Single Logout Solution
Single Logout Solution
                                     SP1


                                     SP2


                                     SP3



                         Hidden iFrames sends
             front-channel LogoutRequests and
                update logout status with AJAX.
Single Logout Solution
                            LogoutResponse




                                   LogoutResponse



                                 LogoutResponse




                IdP LogoutResponse
                endpoint on IdP updates
                status up user logout page
                with AJAX.
Live demo!
iFrame + AJAX
 Single Logout
as provided by
                       ble
                   aila y
                 Av da
                   to
Is anyone using logout?
 The big question!

 We have had simpleSAMLphp in
 production in two months. Is anybody
 using global logout?

 Let's take a look at the statistics.
Is anyone using logout?
 Yes! At a surprising
 ratio of SLO:SSO at 1:10

 Ratio of SSO:SLO varies very much
 between Service Providers.
 From 0 to 1:2!
Andreas Åkre Solberg
http://rnd.feide.no

Más contenido relacionado

La actualidad más candente

Observability with Consul Connect
Observability with Consul ConnectObservability with Consul Connect
Observability with Consul ConnectBram Vogelaar
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xiArchana Dwivedi
 
Building a High-Performance Distributed Task Queue on MongoDB
Building a High-Performance Distributed Task Queue on MongoDBBuilding a High-Performance Distributed Task Queue on MongoDB
Building a High-Performance Distributed Task Queue on MongoDBMongoDB
 
General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber SecurityDominic Rajesh
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageAniruddha Chakrabarti
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking toolsZituSahu
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programmingRodolfo Finochietti
 
IRJET- Development of College Enquiry Chatbot using Snatchbot
IRJET- Development of College Enquiry Chatbot using SnatchbotIRJET- Development of College Enquiry Chatbot using Snatchbot
IRJET- Development of College Enquiry Chatbot using SnatchbotIRJET Journal
 
Hospital management system project
Hospital management system projectHospital management system project
Hospital management system projectHimani Chopra
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 

La actualidad más candente (20)

Java EE 7 introduction
Java EE 7  introductionJava EE 7  introduction
Java EE 7 introduction
 
Email security & threads
Email security & threadsEmail security & threads
Email security & threads
 
Observability with Consul Connect
Observability with Consul ConnectObservability with Consul Connect
Observability with Consul Connect
 
Hibernate notes
Hibernate notesHibernate notes
Hibernate notes
 
School Management (c++)
School Management (c++) School Management (c++)
School Management (c++)
 
Webservices
WebservicesWebservices
Webservices
 
Cyber ethics cbse class xi
Cyber ethics cbse class xiCyber ethics cbse class xi
Cyber ethics cbse class xi
 
Building a High-Performance Distributed Task Queue on MongoDB
Building a High-Performance Distributed Task Queue on MongoDBBuilding a High-Performance Distributed Task Queue on MongoDB
Building a High-Performance Distributed Task Queue on MongoDB
 
General Awareness On Cyber Security
General Awareness On Cyber SecurityGeneral Awareness On Cyber Security
General Awareness On Cyber Security
 
Golang - Overview of Go (golang) Language
Golang - Overview of Go (golang) LanguageGolang - Overview of Go (golang) Language
Golang - Overview of Go (golang) Language
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
 
Job center
Job centerJob center
Job center
 
Introduction to Rust language programming
Introduction to Rust language programmingIntroduction to Rust language programming
Introduction to Rust language programming
 
Notification android
Notification androidNotification android
Notification android
 
Rust
RustRust
Rust
 
IRJET- Development of College Enquiry Chatbot using Snatchbot
IRJET- Development of College Enquiry Chatbot using SnatchbotIRJET- Development of College Enquiry Chatbot using Snatchbot
IRJET- Development of College Enquiry Chatbot using Snatchbot
 
Hospital management system project
Hospital management system projectHospital management system project
Hospital management system project
 
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharCross site scripting (xss) attacks issues and defense - by sandeep kumbhar
Cross site scripting (xss) attacks issues and defense - by sandeep kumbhar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

Similar a Single Logout

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsJitendra Bafna
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOelliando dias
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLGabriella Davis
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerTomasz Wójcik
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration  x pages with symphony sharepoint and officeSuper feats of integration  x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and officeJohn Head
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksHelpSystems
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...Jitendra Bafna
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesVMware Tanzu
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseSumo Logic
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Caktus Group
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshopahmadsayed
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer   configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer   configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...Salem Trabelsi
 

Similar a Single Logout (20)

MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize LogsMuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
MuleSoft Nashik Meetup#5 - JSON Logger and Externalize Logs
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Open Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSOOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
Open sso fisl9.0
Open sso fisl9.0Open sso fisl9.0
Open sso fisl9.0
 
Our road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlannerOur road to Single Sign-On, DocPlanner
Our road to Single Sign-On, DocPlanner
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Real World SharePoint Debacles
Real World SharePoint DebaclesReal World SharePoint Debacles
Real World SharePoint Debacles
 
Delivering Identity at Internet Scale
Delivering Identity at Internet ScaleDelivering Identity at Internet Scale
Delivering Identity at Internet Scale
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Joomla REST API
Joomla REST APIJoomla REST API
Joomla REST API
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Super feats of integration x pages with symphony sharepoint and office
Super feats of integration  x pages with symphony sharepoint and officeSuper feats of integration  x pages with symphony sharepoint and office
Super feats of integration x pages with symphony sharepoint and office
 
Time to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 TasksTime to Terminate Manual 5250 Tasks
Time to Terminate Manual 5250 Tasks
 
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
MuleSoft Surat Virtual Meetup#7 - JSON Logger and Common Error Handling With ...
 
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to MicroservicesLessons Learned from Migrating Legacy Enterprise Applications to Microservices
Lessons Learned from Migrating Legacy Enterprise Applications to Microservices
 
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with EaseIntroduction to LogCompare - Reducing MTTI/MTTR with Ease
Introduction to LogCompare - Reducing MTTI/MTTR with Ease
 
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...
 
Liferay workshop
Liferay workshopLiferay workshop
Liferay workshop
 
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer   configure ios intrusion prevention system (ips) using...5.5.1.2 packet tracer   configure ios intrusion prevention system (ips) using...
5.5.1.2 packet tracer configure ios intrusion prevention system (ips) using...
 

Más de Andreas Åkre Solberg

Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Andreas Åkre Solberg
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Andreas Åkre Solberg
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)Andreas Åkre Solberg
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Andreas Åkre Solberg
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenAndreas Åkre Solberg
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 

Más de Andreas Åkre Solberg (20)

OpenID Connect Federation
OpenID Connect FederationOpenID Connect Federation
OpenID Connect Federation
 
Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017Dataporten for grunnopplæringa - Workshop September 2017
Dataporten for grunnopplæringa - Workshop September 2017
 
Dataporten Workshop
Dataporten WorkshopDataporten Workshop
Dataporten Workshop
 
Dataporten
DataportenDataporten
Dataporten
 
Dataporten for Sigma2, Hell
Dataporten for Sigma2, HellDataporten for Sigma2, Hell
Dataporten for Sigma2, Hell
 
Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)Dataporten intro (workshop with Difi)
Dataporten intro (workshop with Difi)
 
UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)UNINETT Feide Connect (Feide fagdag)
UNINETT Feide Connect (Feide fagdag)
 
Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)Connect (UNINETT-konferansen, Tromsø)
Connect (UNINETT-konferansen, Tromsø)
 
Connect (USIT)
Connect (USIT)Connect (USIT)
Connect (USIT)
 
Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)Connect (Feide fagdag, Gardemoen)
Connect (Feide fagdag, Gardemoen)
 
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyenNorsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
Norsk UH-sektor og økosystemer for identitet og integrasjoner i skyen
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
Feide Connect SUHS 2014
Feide Connect SUHS 2014Feide Connect SUHS 2014
Feide Connect SUHS 2014
 
Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)Feide Connect (NOKIOS 2014)
Feide Connect (NOKIOS 2014)
 
Feide Connect TNC2014
Feide Connect TNC2014Feide Connect TNC2014
Feide Connect TNC2014
 
Feide connect tnc2014
Feide connect   tnc2014Feide connect   tnc2014
Feide connect tnc2014
 
SCIM and VOOT
SCIM and VOOTSCIM and VOOT
SCIM and VOOT
 
Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)Feide Connect (IoU Fagdag)
Feide Connect (IoU Fagdag)
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 
Feide Connect
Feide ConnectFeide Connect
Feide Connect
 

Último

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 

Último (20)

UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 

Single Logout

  • 1. Single Log-Out Andreas Åkre Solberg Malaga, June 2009
  • 2. Sessions On Web • HTTP originally stateless • Using Cookies to keep state • Cookies in RFC2965 • Set a session ID first time user visits, sent back to site for every HTTP request HTTP GET Browser 2 Site Subsequent req. Set-Cookie: ID=23846 Cookie: Browser ID=23846 1 First request
  • 3. Cookies limited to domains Set-Cookie: ID=123; domain: .site.org Cookie sessions can be on one domain only. WebSSO protocols extend user sessions between domains. Master session IdP Session WebSSO WebSSO Session SP SP
  • 4. Consequenses of not terminating SSO Logging in to one service, and not terminating the SSO session enables access to a wide range of other services. Users do not understand this. SP WebSSO WebSSO IdP Financial system X. SP Employee salary Extending loan WebSSO WebSSO payment. period of a book at the library. SP SP
  • 5. Logout What do users do when they want to logout? They: • Click logout, or • close the browser/tab
  • 6. Close the tab??? Yes, (some) people close the tab to logout. We hired a company to perform usability testing with real-users.
  • 7. Logout Most federations does not offer any kind of logout. What if we want to provide some kind of logout? What are our options?
  • 8. Local Logout Can the federations leave logout to the services alone? And they can provide independent local logout? NO! What will SSO do to you, if you click login after having logged out locally?
  • 9. Local + IdP Logout Is this a good idea? SP2 Still active session LogoutRequest IdP 1 SP1 2 SP3 LogoutResponse Still active session SAML 2.0 provides protocol Active session element to distribute logout Deactivated session among entities.
  • 10. Local + IdP Logout Boundaries between SPs is washed-out with SSO. The user can never know exactly which services she is logged into (because SSO is transparent). Therefore local + IdP logout is a «no go»! MyPortal.com Service foo SP1 IdP Service bar SP2
  • 11. Single Logout - as in SAML 2.0 Single Logout Profile LogoutRequest SP2 2 3 LogoutResponse LogoutRequest IdP 1 SP1 6 4 LogoutRequest LogoutResponse LogoutResponse 5 SP3 Logout is fully propagated to all services that share a session...
  • 12. Single Logout Usability There is no way to get the user to understand what is going on with SLO, without being extremely clear and excplicit. Because users generally do not understand fully SSO, there is no common intuitive understanding of what SLO will do. It differs from user to user. One of the things we tried: Naming the button 'Global logout' is not making it any easier for the user.
  • 13. Single Logout Back-Out Users that are in the middle of an important transaction at SP2, will not like if it is interrupted when they logout from SP1. - Real-life example: Requirement from an financial system SP The user should be told which servers she is logged on-to, and asked whether she wants to log out from all of them.
  • 14. Single Logout Bindings Front-channel: • Not robust. SP2 may throw 500 internal error on user logging out from SP1. Back-channel: • Difficult to implement for SPs, because no access to session cookie.
  • 15. Single Logout Solution Our solution: • We are using front-channel only, not stuck with back-channel complexity. • Solving the robustness problem with hidden iFrames. • Presenting the user with a list of logged in services. • Option to logout local + IdP or globally. • Good feedback to user when things fail.
  • 17. Single Logout Solution SP1 SP2 SP3 Hidden iFrames sends front-channel LogoutRequests and update logout status with AJAX.
  • 18. Single Logout Solution LogoutResponse LogoutResponse LogoutResponse IdP LogoutResponse endpoint on IdP updates status up user logout page with AJAX.
  • 20. iFrame + AJAX Single Logout as provided by ble aila y Av da to
  • 21. Is anyone using logout? The big question! We have had simpleSAMLphp in production in two months. Is anybody using global logout? Let's take a look at the statistics.
  • 22. Is anyone using logout? Yes! At a surprising ratio of SLO:SSO at 1:10 Ratio of SSO:SLO varies very much between Service Providers. From 0 to 1:2!