• No results found

Logout in Single Sign-on Systems

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Logout in Single Sign-on Systems"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

Sanna Suoranta, Asko Tontti, Joonas Ruuskanen, Tuomas Aura IFIP IDMAN, London, UK, 8-9.4.2013

Logout in Single

Sign-on Systems

(2)

Logout in Single Sign-on Systems

•  Motivation

•  Single sign-on (SSO) systems

•  SSO in Finnish universities

•  Logout in single sign-on systems

•  Problems in practice

(3)

Motivation

•  Single Sign-on reduces the number of passwords user needs

•  Identity Provider authenticates the user on behalf of services

•  If services are used with a shared computer, logging out is

essential, or otherwise a next user of the computer can get in to the services with previous user’s privileges

•  Not only the used service but also all other services that use the same SSO authentication

•  Logout is important part of authentication session in cases where timeout is not enough

(4)

Single Sign-on Systems

•  OpenID – open federation

•  Several widely used services such as Google and Yahoo provides OpenID identities to services

•  But anyone can create an OpenID account without verification of identity

•  Shibboleth (based on SAML)

•  Software freely available

•  But requires forming of a federation for cross-organizational SSO

•  Facebook Connect and other similar services offer authentication

•  Centralized authentication for third party applications available

(5)

Single Sign-on

Web Server of the

Service Provider (SP)

Identity Provider (IdP)

Service

(Service)

7) Service and

SP sessions created

5) SSO session created 8) Service response 2) Redirect to IdP 3) Authentication challenge 4) Authentication response 6) Redirect to SP 1) Service request

SP software

(6)

Single Sign-on at Aalto University

•  In Finland, universities have formed a federation called HAKA; and that is joint together with Nordic SSO federation

•  Shibboleth SSO is used to authenticate both staff and students

•  CSC – IT Center for Science operates the HAKA federation and provides the metadata files needed

•  Each university has its own identity provider

•  Some services are common (e.g. library service Nelli),

•  Others are university specific (e.g. study register Oodi that is used by half of the Finnish universities).

•  Moreover, any new service can added to be used within the federation (e.g. CSE department’s own service where students return their assignments)

(7)

Logout in SSO

•  Service session usually ends either when user logs out or a timeout logs her out

•  Logout in SSO systems is not so straightforward – where the user logs out?

•  Only from the service at hand

•  From all services belonging to the same federation and form the Identity Provider (== global logout, single logout)

•  From the service at hand and the IdP, without ending other service sessions

(8)

Logout in SSO in practice

In practice, logout in SSO system can lead to several outcomes: •  Logout in the service application

•  Logout in service provider (SP) service side logout •  Local logout

•  logout in the service and SP

•  Logout in identity provider (IdP) •  Local logout with IdP logout

•  Global logout (single logout)

•  Requires that IdP know to which SPs the user has logged in

•  Partial logout

(9)

Logout Problems

•  User does not know where she has logged out

•  Architectural knowledge of SSO is required to understand logout •  Expectations affects: does the user want to log out from a single

service or from all services?

•  Implementation problems in service side

•  Either service’s own session or SP’s session is left behind – either one is enough to let user back in

•  Cookie management

(10)

Logout in SSO in Practice at Aalto

Logout in practice Consequence Example

Only service session removed

SP session allows user to get back in

Oodi (study register) SP session removed but

service session remains

Service session allows user to get back in, no possibility to contact IdP

Nelli (library service) “You have been

succesfully logged out”

From where? If local logout, user can get back in because IdP session is still active

Wiki (all kind of groups)

Local logout with IdP logout

Other services are still active but new services require

re-authentication

Noppa (course

information) Choosing between local

and IdP logout

Allows user to decide but requires knowledge of SSO

(11)

What users want today?

•  Linden et al. (2005) claim that users of SSO want Single Logout (SLO)

•  However, SSO was new in those days and users were not familiar with the concept

•  Shared computers in libraries should still execute SLO

•  Unclear if this is the case today

•  Users today are more familiar with SSO

•  Users have personal devices such as smart phones and typing in credentials again after logout can be annoying

(12)

Suggested Solutions

•  Unified and standardized process for ending sessions

•  E.g. order of removing the sessions

•  Improving the cookie management in browsers

•  Ending the sessions without closing the browser •  Allowing the IdP to access SP and service cookies

•  Creating a mechanism to check the existence of an IdP session

•  SPs should be able to poll IdP to check if the IdP session is still active

•  Unified user interface for logout

(13)

Questions?

[email protected], [email protected],

[email protected], [email protected]

References

Download now ( PDF - 13 Page - 220.81 KB )

Related documents

esoc SSA DC-I Part 1 - Single Sign-On and Access Management ICD

subjectid represents the user for which attributes have to be retrieved 6.2 OpenAM logout page URL. In addition to the Logout RESTful interface in order to logout from the

Novel R2R3-MYB transcription factors from Prunus americana regulate differential patterns of anthocyanin accumulation in tobacco and citrus

Comparison of the visible phenotypes in the MybA transgenic plantlets and acclimated citrus lines (a) 75 day old in vitro Carrizo regenerated plantlet (control) (b) 75 day old in

Newly-discovered Neanderthal remains from Shanidar Cave, Iraqi Kurdistan, and their attribution to Shanidar 5

The newly-discovered bones include fragments of several vertebrae; a left hamate; part of the proximal left femur and a heavily crushed partial pelvis; and the distal half of

Haas Undergraduate Program Learning Goals, Objectives, and Courses Page 1

B Students will be able to use PowerPower to deliver an effective presentation aimed at solving a business problemX. C Students will learn to use Word effectively to

Anaerobic oxidation of methane by sulfate in hypersaline groundwater of the Dead Sea aquifer

Geochemical and microbial evidence points to anaerobic oxidation of methane (AOM) likely coupled with bacterial sulfate reduction in the hypersaline groundwater of the Dead Sea

OIOSAML 2.0 Toolkits Test results May 2009

This tests that the service provider can be included in the single logout (without being the initiating party). IT-LOA-1 The user accesses a protected resource at the service

The expert-public interface in municipal waste management decision making: exploring opinions from stakeholder groups

Participants debated whether EFW was inconsistent with sustainable waste management. A participant from the waste industry felt that government ought to adopt a more positive

The Construction of Goshute Political Identity: Negotiation of Voice Regarding Nuclear Waste Policy Development

Political narratives of voice (access, standing, and influence) reveal the intricacy and importance of the decision to store nuclear waste on the Skull Valley reservation and