UX of no Logout in Single Sign On

Tuesday – Session 3 - F

Convener: Judith Bush

Notes-taker(s): Judith Bush

A. Tags for the session - technology discussed/ideas considered:

SSO, Single sign out, logout, close the browser

B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Ideally a user will close their browser to securely terminate all SSO sessions. Single Logout has many UX issues that make actually implementing problematic. However, users who may be using public or shared computers need to securely terminate but may not know that closing the browser is the best way: they expect a logout.

Stanford has gone over ten years in their heterogeneous application environment and their Kerberos/Shib SSO environment. Student will come out of these environments trained to close the browser (not just the tab ot the window)> How to train others?

Offer a "logout" button that redirects the user back to a specific page of their IDP. SAML 2.0 (or shib) may have a page for this use specified.

Alan Karp suggests that close tab as well as "logout" would send user back, continuing the education action, and suggests that unguessable URLs be used for personal machines.

Steve Williams thinks single sign on (one entrance of credentials for a day) is a bug.