Minutes From Meeting Today

[Dick Hardt]

On 23-Jun-06, at 9:46 PM, Johannes Ernst wrote:

>> - Single Sign Off isn't really easy
>
> I'd really like to understand the problems that Sxip ran into when  
> trying to implement this in a previous version of their product.  
> Dick said they dropped the feature because they couldn't get it to  
> work reliably across browser versions.
>
> Dick, I think you are on this list: any further detail you could  
> provide would be greatly appreciated.

Here is what I recall off the top of my head.

How an application logs out is fairly platform specific, and some  
application platforms provide the functionality transparently to the  
application. The most reliable way of logging out is getting the  
browser to call a logout URL in the application. Most apps use  
cookies to manage session status, ie logged in our logged out. To  
prevent cross site scripting, some browsers don't move cookies if a  
page is loaded in a frame, which means you need the browser to load  
each site you want to log out of directly, then get the site to  
redirect back to the idP. If any of the sites don't send the user  
back to the IdP, then the process fails. In summary, it got really  
ugly when you want to be able to do it for all browsers on all and  
use the existing log out mechanism.

We built some apps that did not require the cookie when a URL was  
requested. Calling the URL cleared the session cookie. This looked  
like it would be hard to do on some application platforms. When using  
this system internally, we found the user experience to not be what  
was expected. We would [sxip out] of a site and realize we did not  
really want to get out of all sites, and if we only wanted to get out  
of the one site, then there needed to be two log outs.

Since the user logs in to each site separately, and given the issues  
above and other that I don't recall, we concluded that Single Sign  
Off was tough to implement and did not provide much if any value.

-- Dick