What Does “LogOUT’ mean?

From IIW

What Does “Log Out” Mean?

Wednesday 5H

Convener: Annabelle

Notes-taker(s): William Denniss

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • By “logout” do you mean the user is clicking a “logout” button?

where, is it on the RP, OP?

  • Can we kill logout?
  • Consumer vs enterprise.  Different behaviors in each environment.
  • “End this session” vs “End all sessions”
  • Step-up auth. Amazon has a system where you can perform sensitive actions after sign-in/reauth, that expire after a time, but the user is still logged-in and can view less sensitive features like wishlists, etc.
  • Logged out / logged in – sometimes the state is carried, but users may think they’re being tracked
  • User expectations vs service expectation – users might not realize that there is always a session cookie whether it’s logged out or not.
  • What is the intent of logging out?

Is the user trying to clear all remnants of their data (e.g. internet cafe) or, are they just trying to switch account

  • Anecdote: Hospital app had a 15min logout policy, so they hired an intern to go around and press the control key to keep the machines logged in. As a result every terminal was always unlocked, and they had less security than if they didn’t have the logout policy.
  • User question: when I logout, does it mean I’m logged out everywhere.
  • When you use federated login, then you logout of the RP – you’re still logged in to the IDP! That can be a surprise.

By the same token, the user may be surprised if they logged into a second RP, and had to sign-in again.

Amazon’s IDP doesn’t save login state when you do an RP-initiated login

  • Amazon’s IDP implementation has no SLO (Single Log Out) communication between the RP and IDP for logout events. One reason is that you’d have to ask to the RP to implement it, and we don’t know what experience the RP would have.
  • Lock after inactivity would be better than logging out, as you wouldn’t lose the session state (e.g. Schwab).
  • Desktop SSO – when you close the client, what does it mean? I just want to kill the client to avoid getting notifications that interrupt my call – but sometimes these apps will stay in the background and continue notifications.
  • Session used to mean something: users were instructed to close the window when they were done, but then along came chrome
  • Incognito windows and profiles – new approaches to data management, to kill all traces of a user / segregate data into the different users that share a device
  • Users may need to be able to signal their intent to stay logged in

but then those buttons are confusing and don’t always work

  • When you logout of an RP, what does that mean to the IDP session? When you logout of an IDP what does it mean to the RP?

do you want a “side effect” of signing-in to an RP

  • Layers of logins

RP <- logout here and you’ll get logged back automatically due to the next layer down

IDP

SSO

Desktop Session

  • Legitimate cases for trusted logout (e.g. violated security policy) should be via the backchannel
  • Should the RP have an “emergency button” to signal full logout everywhere

front channel spec has facilities for a user confirmation of this

  • Lots of skepticism for the ability of an RP signal to log the user out of other locations.  “Single sign-out works well until it doesn’t”
  • Should an auth context switch at the IDP (e.g. multi sign-in at Google)

what does that mean for RPs if the auth context switch happens at the IDP?

  • How much mileage can we get to teach users to logout where they logged in?
  • Device centric user experiences: why do you logout at all? Segregate data through device management, in the internet cafe situation “I want to click on one button and kill everything”, not be a janitor and go around logging out everywhere