Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Child pages (Children Display)

Rationale

The purpose of distributed Single sign-on and Single sign-out is automatically sign-in and sign-out to multiple different external services (herein: SSO target) when user signs in to Trivore Identity Service (TIS) via user-interface or OpenID Connect. For example, when user signs in to https://oneportal.t5.fi he/she will also be signed in to https://service1.example.org and https://service2.example.com. Every namespace in TIS  can have multiple different external SSO targets and sign-on to these targets is completely transparent to user.

...

The HTTP response (in addition to the cookie) from the SSO target should contain a valid image of the type jpg, png or ico (16x16 pixels in size). This image may be shown on user's browser, depending on the settings.

...

Single sign-out

Single sign-out procedure is executed when user signs out from TIS  via user-interface or OpenID Connect. In both cases, user's browser will receive HTML <img> elements that contain src= attribute with an URL that points to the SSO target sign-out URL (meaning that the SSO requests originate from user's browser, not from TIS server). When SSO target receives this sign-out request, it should immediately invalidate user's session or, at least, remove any user-related information from session. These <img> tags are generated only for SSO targets that have consumed their token as there is no need to sign out from target that has not consumed the token because the user is not signed in to that service. All tokens, consumed or not,  for current session will also be removed from database on Single sign-out which means that they can not be consumed afterwards.



Attachments