2. Sessions On Web
• HTTP originally stateless
• Using Cookies to keep state
• Cookies in RFC2965
• Set a session ID first time user visits,
sent back to site for every HTTP request
HTTP GET
Browser
2
Site Subsequent req.
Set-Cookie:
ID=23846 Cookie: Browser
ID=23846
1
First request
3. Cookies limited to domains
Set-Cookie: ID=123; domain: .site.org
Cookie sessions can be on one domain only.
WebSSO protocols extend user sessions
between domains.
Master
session
IdP
Session WebSSO WebSSO
Session
SP SP
4. Consequenses of not terminating SSO
Logging in to one service, and not terminating the SSO
session enables access to a wide range of other services.
Users do not understand this.
SP
WebSSO
WebSSO IdP Financial system X.
SP
Employee salary
Extending loan WebSSO
WebSSO payment.
period of a book
at the library.
SP
SP
5. Logout
What do users do when they want to
logout?
They:
• Click logout, or
• close the browser/tab
6. Close the tab???
Yes, (some) people close the tab to
logout.
We hired a company to perform usability
testing with real-users.
7. Logout
Most federations does not offer any kind
of logout.
What if we want to provide some kind of
logout? What are our options?
8. Local Logout
Can the federations leave logout to the
services alone? And they can provide
independent local logout?
NO!
What will SSO do to you, if you click
login after having logged out locally?
9. Local + IdP Logout
Is this a good idea?
SP2
Still active session
LogoutRequest
IdP
1
SP1 2 SP3
LogoutResponse
Still active session
SAML 2.0 provides protocol Active session
element to distribute logout Deactivated session
among entities.
10. Local + IdP Logout
Boundaries between SPs is washed-out
with SSO. The user can never know
exactly which services she is logged into
(because SSO is transparent).
Therefore local + IdP logout is a «no go»!
MyPortal.com
Service foo SP1 IdP
Service bar SP2
11. Single Logout
- as in SAML 2.0 Single Logout Profile
LogoutRequest
SP2
2 3
LogoutResponse
LogoutRequest
IdP
1
SP1 6
4
LogoutRequest
LogoutResponse
LogoutResponse
5
SP3
Logout is fully propagated
to all services that share a
session...
12. Single Logout Usability
There is no way to get the user to
understand what is going on with SLO,
without being extremely clear and
excplicit. Because users generally do not understand fully
SSO, there is no common intuitive understanding of what SLO will
do. It differs from user to user.
One of the things we tried:
Naming the button 'Global logout' is not making
it any easier for the user.
13. Single Logout Back-Out
Users that are in the middle of an important
transaction at SP2, will not like if it is
interrupted when they logout from SP1.
- Real-life example:
Requirement from an financial system SP
The user should be told which servers she
is logged on-to, and asked whether she
wants to log out from all of them.
14. Single Logout Bindings
Front-channel:
• Not robust. SP2 may throw 500 internal
error on user logging out from SP1.
Back-channel:
• Difficult to implement for SPs, because
no access to session cookie.
15. Single Logout Solution
Our solution:
• We are using front-channel only, not
stuck with back-channel complexity.
• Solving the robustness problem with
hidden iFrames.
• Presenting the user with a list of logged
in services.
• Option to logout local + IdP or globally.
• Good feedback to user when things fail.
17. Single Logout Solution
SP1
SP2
SP3
Hidden iFrames sends
front-channel LogoutRequests and
update logout status with AJAX.
18. Single Logout Solution
LogoutResponse
LogoutResponse
LogoutResponse
IdP LogoutResponse
endpoint on IdP updates
status up user logout page
with AJAX.
20. iFrame + AJAX
Single Logout
as provided by
ble
aila y
Av da
to
21. Is anyone using logout?
The big question!
We have had simpleSAMLphp in
production in two months. Is anybody
using global logout?
Let's take a look at the statistics.
22. Is anyone using logout?
Yes! At a surprising
ratio of SLO:SSO at 1:10
Ratio of SSO:SLO varies very much
between Service Providers.
From 0 to 1:2!