Logout interfaceLogging in is simple.  Getting out is simple, you just close your browser.  Unless you wanted to explicitly log out, or you needed to log out from just one application and keep the other applications working. Another issues is related to closing all browser windows, this sounds easy to do, but can be too difficult for some users.

Andreas implemented a nice user interface for single log out in SimpleSAMLphp, as shown on the right.

A surprising high number of users (8-10%) started using the SLO functionality when this was enabled in March 2009. If this number continues to stay high as we move from pilot in a selected user group to the broader audience in education remains to be seen.

Our main motivation behind the SLO interface was to offer a way to log out from one specific application where the licensing scheme was based on payment per  user logged in at the same time.  This motivated us to find a way to log out from that system, while keeping the other sessions with service providers alive.  If we demanded a global log-out, the end users would loose their work flows in all applications within the single sign on domain.  Not using federated log-out would simply give the user a SSO session in to the application for example at a browser refresh, and this without the user knowing and being able to control the situation.

User testing provided useful feedback, and we ended up with a page as displayed above.  If log-out fails from any application (as it sometimes does with HTTP redirect when a server goes down), this is indicated with a warning sign next to the service.  All successful log-outs are marked with green.  The user is advised to explicitly close all browser windows if log-out fails.

Making the end user aware of what applications he is logged in to, is part of the awareness raising for greater security. On the other hand, we do not want to drown the user in information, because than we end up in the Click-OK-to-continue syndrome.  The minimum information required is the names of the services and some graphic indicators of login/log-out situation.

More information about the technical implementation is available in My thoughts about SLO by Andreas Åkre Solberg, and in the SimpelSAMLphp documentation.

Advertisements