Damn you, single sign-on – Part two

“Every solution to every problem is simple. It’s the distance between the two where the mystery lies.” ― Derek Landy, Skulduggery Pleasant After my first blog on how to make logging out possible for a single service within the SURFconext platform, we got some feedback on the proposed solution:

  • nice job, this works for us
  • we don’t like this solution, because it’s not single sign-out
  • will there be a ‘real solution’ for the single sign-out problem instead of this ‘work around’?

The problem

A downside of single sign-on is that when a user wants to log out, it is not that simple: when you hit the logout button at the service, it will appear as if you have been logged out. However, if you go to the service again, you will be automatically logged in due to the single sign-on functionality of the SAML2-protocol SURFconext uses. Recently, the SURFconext-team received a question from a Service Provider about this, because their service consists of an electronic learning environment that contains personal and privacy sensitive information, such as grades. They wanted to be sure that once a user logs out, the user actually is logged out. This is particularly important when a public computer is being used; in that case, there is a risk the next person using the computer could see the personal environment of the previous user if this previous user did not end his browser session.

The solution

SURFconext does not support single log out ‘as a service’, but there is a logout page available. In consultation with the Service Provider and an Identity Provider, we therefore came up with the following solution:

1. The user logs out of the service at the Service Provider’s webpage
2. The Service Provider then redirects to the logout page of the Identity Provider
3. The IdP logout page contains an iFrame with the SURFconext logout URL, to ensure the complete logout from SURFconext

If logging out of a service is implemented this way, the logout functionality only works for that specific service. To make this way of logging out work, it is important that all three parties (SP, IdP and SURFconext) implement this functionality separately. If the user was already logged into other services, they will keep functioning with the same credentials. If however the user starts a new SURFconext service, he will have to log in again. If he goes back to this electronic learning environment, he will have to log in again as well. This makes sense to the user, because he specifically logged out. We therefore don’t expect users to be confused about this. It is important that the user is told that it is a logout of a single service and NOT single sign out of all services. For single sign out the best thing to do is close the browser.

As you can see in the following picture, logging out of a single service involves logging out of three different services indicated with the green circles. The sessions on other services are unaffected and still available to the user, indicated with the red circle.

Schematic overview of single signout

It is the first time we will implement this solution, so if there are any issues, we will describe them on this blog.

We are interested in your comments and questions on this subject; please feel free to add your remark below this post.



Dit artikel heeft 0 reacties