On Fri, Oct 18, 2013 at 02:16:00PM +0100, Jon Warbrick wrote:
> On Fri, 18 Oct 2013, Matthew Slowe wrote:
>
> >1) It's hard
> >2) Not everything supports it
> >3) It often doesn't work anyway
> >4) When it does work users get confused
> >
> >None of which is really a reason not to do it, in my opinion :-)
>
> I think you missed
>
> 5) People disagree what 'It' is
I concede a shameful omission :-)
> By which I mean that people disagree what they mean by 'single
> logout'. From a single site (in which case the IdP will probably log
> you back in automatically)? from one site and the IdP (in which case
> you may be surprised when other sites continue to work)? or form
> everything (which may loose that half-completed email in another
> window...)?
>
> I my experience, owners of particular sites often think only in
> terms of their own site and so concentrate on users' interaction
> with that, and perhaps the IdP. What they miss is that users may
> well be logged in to multiple sites and the effect this has on their
> experience.
Yes, getting new internal SPs to understand that there is a world beyond
their trust of an IDP can be tricky so getting 3rd party once-removed
SPs understanding it seems to be nigh-on impossible.
It doesn't help that the Shib IDP doesn't make it "easy". We use
SimpleSAMLphp as a local IDP and, although it has a few minor "issues"
with SLO, it does seem to work (from a purist "LOG ME OUT OF EVERYTHING
RIGHT NOW" perspective).
> I agree that this isn't a reason not to do it, but we need to be
> sure we agree what we mean by 'it'.
The paragraph in SLOIssues about "Communicating SLO" bashes that one
quite well.
--
Matthew Slowe
Server Infrastructure Team e: [log in to unmask]
IS, University of Kent t: +44 (0)1227 824265
Canterbury, UK w: www.kent.ac.uk
|