Saturday, October 13, 2007

Local logout in federation - confirmed standpoint

pencil icon, that"s clickable to start editing the post

After my last post Local logout in federation - a good choice for mandatory feature to E-Authentication? I wondered whether others had written about local logout. I found a paper from XML Conference 2005: Case Study: Use of Liberty Federated Network Identity in an Enterprise Outsourcing Environment [PDF], presented by Yvonne Wilson, Sun IT Strategy & Architecture (The slides from the presentation [PDF]). In section 9.6. Logout [HTML] (my bold):

In a federated network identity environment with single signon, two logout options are possible. A service provider may provide a 'local' logout link, which terminates the user's session in the service provider's infrastructure only. Alternatively, the service provider and/or the identity provider can provide a 'global' logout link, which terminates the user's session in the identity provider's infrastructure as well. Use of local logout may be confusing to users because their identity provider session remains intact, allowing them to access without login an application from which they just logged out. Providing both a local logout and a global logout link may be confusing to users who don't understand the difference between them. Therefore, it is recommended to use only a global logout link.

A agree and can't figure out why it ended up in even the second version of E-Authentication, but maybe I'll discover some day.