Damn you, single sign-on

One of the best features of SURFconext is the support of single sign-on, which means that once you have entered your credentials to use a service connected to the SURFconext platform, you do not have to repeat this when you want to use another service that is also connected to SURFconext. This makes the user experience easier and faster.

The problem

A downside of single sign-on is that when a user wants to log out, it is not that simple: when you hit the logout button at the service, it will appear as if you have been logged out. However, if you go to the service again, you will be automatically logged in due to the single sign-on functionality of the SAML2-protocol SURFconext uses. Recently, the SURFconext-team received a question from a Service Provider about this, because their service consists of an electronic learning environment that contains personal and privacy sensitive information, such as grades. They wanted to be sure that once a user logs out, the user actually is logged out. This is particularly important when a public computer is being used; in that case, there is a risk the next person using the computer could see the personal environment of the previous user if this previous user did not end his browser session.

The solution

SURFconext does not support single log out ‘as a service’, but there is a logout page available. In consultation with the Service Provider and an Identity Provider, we therefore came up with the following solution:

  1. The user logs out of the service at the Service Provider’s webpage
  2. The Service Provider then redirects to the logout page of the Identity Provider
  3. The IdP logout page contains an iFrame with the SURFconext logout URL, to ensure the complete logout from SURFconext

If logging out of a service is implemented this way, the logout functionality only works for that specific service. To make this way of logging out work, it is important that all three parties (SP, IdP and SURFconext) implement this functionality separately. If the user was already logged into other services, they will keep functioning with the same credentials. If however the user starts a new SURFconext service, he will have to log in again. If he goes back to this electronic learning environment, he will have to log in again as well. This makes sense to the user, because he specifically logged out. We therefore don’t expect users to be confused about this. It is important that the user is told that it is a logout of a single service and NOT single sign out of all services. For single sign out the best thing to do is close the browser.

As you can see in the following picture, logging out of a single service involves logging out of three different services indicated with the green circles. The sessions on other services are unaffected and still available to the user, indicated with the red circle.

Schema of logging out from SURFconext

It is the first time we will implement this solution, so if there are any issues, we will describe them on this blog.

We are interested in your comments and questions on this subject; please feel free to add your remark below this post.

Auteur

Reacties

Dit artikel heeft 0 reacties