Canonical SSO provider

Bug #451336
Comment #8

Comment 8 for bug 451336

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-08-18: Re: Need to redirect back to the consumer after logout

Here's a simplified spec following review with newz:

Action path: /+logout

Required query string params:

* return_to=<URL>. If <URL> doesn't exactly match a known trust root (with auto-redirect enabled - this is how we're defining full SSO sites), the user will see the same result as if the params weren't passed (currently that they are logged out but will stay on the SSO site and are notified of the logout). The same will happen if HTTP_REFERER is sent by the browser; its hostname must also match <URL>'s hostname. The return will not fail if HTTP_REFERER is undefined, it's just an extra check if available.

Logout behaviour for valid requests:

Assumptions:

* trusted sites can have long sessions. let's say up to 365 days.
* non-trusted sites have a shorter session lifetime of up to 30 days.

(both session lifetime values should be globally configurable on SSO)

On logout from an external site, the following content is displayed """

You have been logged out.

<big>Return to <sitename> (link to return_to)</big>

----

You have also used these sites recently:

* <sitename/URL>

"""

<sitename/URL> is a list of all sites (trusted and non-trusted) accessed within the defined session durations, sorted by date order (most recent first), except for the requesting site. Trusted sites display the printable name. Non-trusted sites display the trust root. Both are links to the trust root which opens in a new window/tab. If the user isn't logged in to other sites, this list isn't displayed.

Assume the user isn't logged in to other sites if they:

* have only logged into the requesting site (and no other trusted sites) within the defined session duration for trusted sites.
* haven't logged in to a non-trusted site within the defined duration for non-trusted sites.

If a user doesn't have an active SSO session, we don't display the "You have been logged out" message or the list of links but we do display the link back to the requesting site.

Rationale for changes:

* Removed uid param: although it brought some additional verification, it also complicated the implementation significantly due to a number of edge cases. The end result was additional potential confusion for the user which outweighed the benefits.
* Removed automatic redirection when user has only ever used one service: this was the primary reason for the uid param. By removing this, it was easier to justify removal of the param. The user will have seen the SSO service before when they signed up so this shouldn't be a confusing experience for them. Logout from a remote site is now a consistent experience and should build trust in the SSO brand.
* Moved the list of recent sites below the logged out message: visually associating the logged out message with the list of other sites when we aren't actually logging the user out of them could be confusing to users. By separating them in this way, we reduce the association to a more informational list.
* Only display the list of recent sites to users who are logged in and don't try to determine a different user: this was simplified by removing the uid param. We don't need to attempt to match a different user. If the user has more than one account, they are likely a more advanced user and can probably make their own decisions about sites they've used.
* Added the case for a user not having an active SSO session: we needed to handle this case in a non-confusing way without breaking the primary use case but we didn't want to indicate something which hasn't happened (ie: the user hasn't been logged out because they weren't logged in, but they may still want to return to the referring site).

Here's a simplified spec following review with newz:

Action path: /+logout

Required query string params:

Logout behaviour for valid requests:

Assumptions:

* trusted sites can have long sessions. let's say up to 365 days.
 * non-trusted sites have a shorter session lifetime of up to 30 days.

(both session lifetime values should be globally configurable on SSO)

On logout from an external site, the following content is displayed """

You have been logged out.

<big>Return to <sitename> (link to return_to)</big>

----

You have also used these sites recently:

* <sitename/URL>

"""

<sitename/URL> is a list of all sites (trusted and non-trusted) accessed within the defined session durations, sorted by date order (most recent first), except for the requesting site. Trusted sites display the printable name. Non-trusted sites display the trust root. Both are links to the trust root which opens in a new window/tab.  If the user isn't logged in to other sites, this list isn't displayed.

Assume the user isn't logged in to other sites if they:

* have only logged into the requesting site (and no other trusted sites) within the defined session duration for trusted sites.
 * haven't logged in to a non-trusted site within the defined duration for non-trusted sites.

If a user doesn't have an active SSO session, we don't display the "You have been logged out" message or the list of links but we do display the link back to the requesting site.

Rationale for changes:

* Removed uid param: although it brought some additional verification, it also complicated the implementation significantly due to a number of edge cases.  The end result was additional potential confusion for the user which outweighed the benefits.
 * Removed automatic redirection when user has only ever used one service: this was the primary reason for the uid param.  By removing this, it was easier to justify removal of the param.  The user will have seen the SSO service before when they signed up so this shouldn't be a confusing experience for them.  Logout from a remote site is now a consistent experience and should build trust in the SSO brand.
 * Moved the list of recent sites below the logged out message: visually associating the logged out message with the list of other sites when we aren't actually logging the user out of them could be confusing to users.  By separating them in this way, we reduce the association to a more informational list.
 * Only display the list of recent sites to users who are logged in and don't try to determine a different user: this was simplified by removing the uid param.  We don't need to attempt to match a different user.  If the user has more than one account, they are likely a more advanced user and can probably make their own decisions about sites they've used.
 * Added the case for a user not having an active SSO session: we needed to handle this case in a non-confusing way without breaking the primary use case but we didn't want to indicate something which hasn't happened (ie: the user hasn't been logged out because they weren't logged in, but they may still want to return to the referring site).