- From: Tim <tim-projects@sentinelchicken.org>
- Date: Thu, 7 Jan 2010 14:29:19 -0800
- To: Albert Lunde <atlunde@panix.com>
- Cc: ietf-http-wg@w3.org
> This tends to be a problem that relates to application sessions > as much as to HTTP protocol-level authenication. It seems to be > possible to solve at the level of a single application, and > hard to solve at the next level of federated authetication. Ok, I suppose things might get complicated at a SSO/federated level. The vast majority of applications don't currently need to worry about this. I guess it's important to think about in relation to digest authentication though, since it does support SSO-like features. > Thus the Shibboleth project is periodically explaining why they > don't provide single logout: > > <https://spaces.internet2.edu/display/SHIB2/SLOIssues> > > <https://wiki.brown.edu/confluence/display/CISDOC/ > Shibboleth+and+Application+Logout+Best+Practices> > > The varied way that different HTTP clients handle cookies, > kerberos tickets, and other authentication credentials probably > makes it harder to manage. > > Web Single-Signon systems seem to depend on gimmicks outside the > scope of HTTP as, such in order to work with existing web > browsers. Sounds complicated... I'll have to read up on it more. tim
Received on Thursday, 7 January 2010 22:29:47 UTC