• State Verified Answer
  • Replies 1 reply
  • Subscribers 47 subscribers
  • Views 888 views
  • Users 0 members are here
Options
Related

Implementing a Log Out Feature

Patrick Grogg

I was requested to implement a log out feature and I noticed that there is no logout method in any of the SDL services.  My thought was to just blow away the authentication token on the client.  But, it is not in any cookie that I can see that will allow be to blow it away.

Any thoughts on how to implement this feature?

Thanks in advance
Rate translation
×
Suggest better translation
×
Parents
  • 0
    Hi Patrick,
    The reason Knowledge Center does not implement Log out is because even within the WS Federation it is unclear what it means.

    Let me give you an example in context of Single Sign On.
    My browser is logs in to Service Provider 1 (SP1). To do that it logged in to the STS.

    If I try to logout from the SP1 then do I also logout from STS? If I don't then next request to SP1 will automatically execute the authentication flow with STS where I'm already authenticated. From the user's standpoint it didn't really feel as logging out.

    To make matter more complicated. Lets assume you browser is also logged in with SP2 and you found a way to force log out from both the SP1 and STS. What about SP2? You are still logged in. To expand the discussion, what happens to any session with any SP that is authenticated through the same STS? Can you force a chained action? What about the SP that you do now know about.

    These are the problems we had to face and we didn't get a clear an answer from the WS Federation protocol although there is a sign out option.
    I hope this insight helps you understand our choice and help you decide if you should proceed with your task.

    In general, if you remove the cookies from a request then you remove the link to the session, effectively rendering the request anonymous.
Reply
  • 0
    Hi Patrick,
    The reason Knowledge Center does not implement Log out is because even within the WS Federation it is unclear what it means.

    Let me give you an example in context of Single Sign On.
    My browser is logs in to Service Provider 1 (SP1). To do that it logged in to the STS.

    If I try to logout from the SP1 then do I also logout from STS? If I don't then next request to SP1 will automatically execute the authentication flow with STS where I'm already authenticated. From the user's standpoint it didn't really feel as logging out.

    To make matter more complicated. Lets assume you browser is also logged in with SP2 and you found a way to force log out from both the SP1 and STS. What about SP2? You are still logged in. To expand the discussion, what happens to any session with any SP that is authenticated through the same STS? Can you force a chained action? What about the SP that you do now know about.

    These are the problems we had to face and we didn't get a clear an answer from the WS Federation protocol although there is a sign out option.
    I hope this insight helps you understand our choice and help you decide if you should proceed with your task.

    In general, if you remove the cookies from a request then you remove the link to the session, effectively rendering the request anonymous.
Children
No Data