An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Brand <peter.brand AT univie.ac.at>]

Andreas,

* Andreas Theodorou <andreas.theodorou AT cynet.ac.cy> [2023-06-30 09:58]:
> The issue arises when a user logs out of the system and then
> attempts to log in again. Instead of being prompted for his email
> and password, the user is automatically logged in without any
> authentication prompts.

Logs out where and logs out how? The Shibboleth IDP software (because
you mentioned this specifically but the issue goes well beyond this)
does support SLO these days (it didn't always) but that's not worth a
lot when hardly any SAML SP does.

(This old page illustrates some of the technical requirements for SLO
to work reliably. A pretty much universal lack of deploying the
methods required to support backchannel logouts is also the reason
we'll never be able to use this across the SPs available via eduGAIN:
https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645229/SLOIssues)

Also, current trends from browser vendors (wrt 3rd party cookies; here
mostly to inform the subject from the IDP's web site what SPs it was
able to successfully log you out from) will also make the existing
support much harder or impossible going forward.

I.e., the expectation that SLO works and does so reliably everywhere
is unrealistic.

And having any form of logout available that's *not* reliable means
you'll have to clearly communicate to the subject what to do about it
when you're only logged out of one service out of a list of mayne a
dozen you logged in earlier -- which mostly leaves "close the browser"
as the sole and simplest which, of course, is also what people would
do if no logout at all were offered at all. (I.e., your "plan B" also
takes care of the "plan A" if you ever had one.)

Therefore some people, including myself, think this is a lost cause
and federations have stopped at working SSO integrations with both
IDPs and SPs and therefore working SLO was never part of any
requirements or acceptance tests.
To me there are only very few things one can do about this, none
having to do with configuration files on your Shibboleth IDP:

* For shared computers, labs, kisok computers, etc. under your control
  you need to make sure those have a large, friendly button that
  allows to terminate the whole OS session including any and all
  applications running which also wipes any local state.  Plus maybe a
  sign on the monitor to make sure to end your session that way.
  (Only) If you give people a chance to "log out" from everything that
  way you can make them responsible for not having done so (including
  any potential misuse of their data).
  (For shared maschines not under your control it's probably best to
  advise people from avoiding those for security reasons: If there's a
  chance any "state" from previous users remains on that machine you
  probably shouldn't be entering your credentials on such a machine as
  there might be resident malware lurking.)

* For personal devices (user-specific PC, laptop, mobile devices,
  etc.) I don't see a need to ever log out of web sites: Most of these
  devices will have *other* state (and data) from other applications
  completely unrelated to federated WebSSO that will need protection
  from prying eyes.  The simple solution to both problems -- besides
  never giving your personal device to someone else to use
  unattended -- is to lock your complete device, not log out of some
  web applications. Not only does this make for better security
  (protects more data; doesn't require a new skill to learn) it also
  makes the SLO issue moot.

* Make it a habit for yourself and document this clearly for others to
  start a "private browsing session" / "incognito browser instance"
  *before* doing any work you'd like to be able to "log out" from
  later easily, including when handing your laptop over to a colleage
  for a short time (while you're still close in order to prevent them
  from reading, copying or modifying other, possibly very private,
  data may have stored on that machine).

HTH,
-peter