Logout in single sign-on systems: Problems and solutions

Abstract

Web single sign-on (SSO) systems enable users to authenticate themselves to multiple online services with one authentication credential and mechanism offered by an identity provider. The topic is widely studied and many solutions exist. However, logging out of a service using SSO has received less attention. While previous studies note that users want single logout when using SSO, most of the existing services do not offer it, and the identity providers do not even keep track of the open sessions. This article describes challenges related to logout in federated identity management and analyzes unexpected behavior in logout situations. The examples are from the Shibboleth SSO system. Based on the analysis, we give guidelines for implementing reliable logout and describe a polling-based solution for creating a system-wide logout mechanisms that only requires minor changes to the existing code and does not burden the identity provider excessively. In addition to the system-wide logout, our solution gives users the option to log out of only one service. A usability test was conducted to evaluate the solution. The results show that the users liked the ability to choose between the two logout options, but they did not understand the words used to describe them. Another observation was that a majority of the users do not log out of the services at all; they just close the browser window, which should be taken into account in the design of web SSO systems.