Single Sign-On: A Solution Approach to Address Inefficiencies During Sign-Out Process

Abstract

Read online

In a Single Sign-on (SSO) environment, an Identity Provider (IDP) authenticates a user for the first Service Provider (SP). The IDP creates an active IDP session and stores its information in the user's web browser. Each SP also creates and maintains one active service session. Using state-transition diagrams, we illustrate sign-in and sign-out processes. An information security vulnerability situation is created because users are unaware of an active IDP session in the user's browser and signs-out only from SP sessions. One solution to this problem is educating users. Another solution is to implement the SSO that ensures the termination of the IDP session as soon as user signs-out from all services that the IDP authenticated. The first solution appears to be simple, but practically an impossible task to educate millions of web based SSO users worldwide. The second solution is better because one good implementation solves the problem for all users. In this article, we propose several solutions for terminating the hidden active IDP session. Also, we review the data storage-methods commonly used for storing information of SP and IDP sessions in the browsers. Moreover, we propose a browser extension for conveniently and efficiently managing active SP and IDP sessions. In our proposed browser extension, we have recommended IndexedDB browser storage for storing active session information. We believe our proposed browser extension is simple, but efficient solution for eliminating hidden active IDP session.

Keywords

• Authentication
• authorization
• identity provider
• information security
• service provider
• single sign-on