Minutes From Meeting Today
dick at sxip.com
Sat Jun 24 14:49:13 UTC 2006
On 23-Jun-06, at 9:46 PM, Johannes Ernst wrote:
>> - Single Sign Off isn't really easy
> I'd really like to understand the problems that Sxip ran into when
> trying to implement this in a previous version of their product.
> Dick said they dropped the feature because they couldn't get it to
> work reliably across browser versions.
> Dick, I think you are on this list: any further detail you could
> provide would be greatly appreciated.
Here is what I recall off the top of my head.
How an application logs out is fairly platform specific, and some
application platforms provide the functionality transparently to the
application. The most reliable way of logging out is getting the
browser to call a logout URL in the application. Most apps use
cookies to manage session status, ie logged in our logged out. To
prevent cross site scripting, some browsers don't move cookies if a
page is loaded in a frame, which means you need the browser to load
each site you want to log out of directly, then get the site to
redirect back to the idP. If any of the sites don't send the user
back to the IdP, then the process fails. In summary, it got really
ugly when you want to be able to do it for all browsers on all and
use the existing log out mechanism.
We built some apps that did not require the cookie when a URL was
requested. Calling the URL cleared the session cookie. This looked
like it would be hard to do on some application platforms. When using
this system internally, we found the user experience to not be what
was expected. We would [sxip out] of a site and realize we did not
really want to get out of all sites, and if we only wanted to get out
of the one site, then there needed to be two log outs.
Since the user logs in to each site separately, and given the issues
above and other that I don't recall, we concluded that Single Sign
Off was tough to implement and did not provide much if any value.
More information about the yadis