Single SignOn is easy, Single Signout is not

Single Sign In relies on the token issuer holding on to a cookie, which tells it about the user identity after the first signin. The issuer can then respond to a new signin request in whatever protocol it comes in (WSFed, SAML, OpendIDConnect, etc.). Single Signout requires that the token server holds both a list of applications to which it had issued tokens and what protocol to use to send them the signout request (a user may have signed in to different applications using different protocols). Both WsFed and SAML defines such protocols, OAuth2 and OpenIDConnect define some approaches but most of them do not result in a signout from all applications (part of the problem is that the latter protocols cannot rely on the presence of a browser listening for such messages after initial signin). Even when using WsFed or SAML it is possible to sequence the signin requests from two applications in such a way that the STS ends up holding a reference to only one of them. The short of it is: single signout may not work.

A possible solution is to pass all requests through some additional server proxy which holds the user signin status but that’s not very scalable.

For now it seems the best option is NOT to create an impression that the user is signing off from all their applications at once. Rather,┬ádisplay an appropriate message in the post-signout screen (e.g. ‘You have been signed out from this application only. Consider closing the browser to signout from all applications’).


Leave a comment