Universal Logout - Where to Go After SSO


Universal logout is a hot topic today for one simple reason: it is important. Single Sign-On (SSO) has taken over in recent years as a method of reducing login strain and improving security while maintaining usability.  In an age of passwords and data breaches, SSO has always been seen as the next logical step. Now that we’ve taken that step, the question becomes: where do we go from here? The answer is simple: we’ve secured logins, so let’s go ahead and secure the session integrity and termination by sign out of all accounts with Universal Logout.

Why Would I Want Universal Logout?

Universal logout sounds like a grand idea – log me out of everything that I’ve used SSO to get into, and keep the bad guys from hijacking my session – but the real benefit goes much deeper. As noted by researchers at Aalto University in Finland, “…users of SSO systems expect single Logout”. The real problem, however, is that not all SSO systems support what we consider Universal Logout. Universal Logout will address a need that users already assume is being taken care of – a dangerous assumption.

All things considered, the closest implementation that approaches true Universal Logout would be SAML Single Logout (SAML SLO).  This feature is most commonly seen alongside Industry Standard protocols (SAML, Shibboleth, and even CAS). However, SAML SLO has one major flaw: not all parties involved support the feature.  When SAML SLO is not supported, the logout request cannot be forced and sessions remain open and vulnerable.  The IdP is not aware of this failure, however, and terminates its own session regardless.

It is because of this weakness that Universal Logout is necessary in the modern authentication environment.

Okay, so what IS Universal Logout?

OC3MEJ0Universal logout is conceptually simple: the Identity Provider initiates the logout manually from each Service Provider with an active session.  This removes the requirement for ‘support’ of a new feature, and places the emphasis on security.

Universal Logout, at its most basic, is an effort to address the rising risk associated with a modern SSO landscape.  As users evolve to take advantage of a secure but usable interface, attackers are finding more ways to prey on users who either ignore or simply don’t think to address active SSO sessions.  In practice, SSO takes advantage of several browser cookies to provide a usable environment for end users to work in.  Among these cookies, session cookies are utilized to keep sessions open when authenticated through an IdP for SSO. Typically, users logout of the IdP and assume that is the end of it. However, in those cases the individual session cookies are still valid until expired – the service never actually performed a logout. Hijackers can then use this active session to impersonate end users.  The rest, as they say, is history.

Universal Logout addresses this potential vulnerability by terminating session cookies for open services when the IdP session is terminated – effectively forcing the logout of any active service.

Current SSO providers allow modification of the lifetime of session cookies to mitigate this risk, but this still puts the onus on the administrator. With this next step in authentication, the system will do all of the heavy lifting to enforce Universal Logout an secure user sessions.

What the Future Looks like

SSO was a great step for access control authentication.  In an age clamoring for the ‘death of the password’, SSO was able to take that drive and refocus it to fit the changing environment – blending both the old and the new.  With any innovation, however, comes risks that require resolution before too much time has passed.  The current SSO landscape supports intermittent methods of addressing the risks of open sessions, but support is the greatest enemy.

The future looks to take another great step with the use of an Identity Proxy to enforce Universal Logout. This upgraded Identity Provider will be utilized to integrate with more services – including those that do not support standard industry protocols.  In addition to this support, the Proxy will utilize Universal Logout to manage the termination of all active sessions and prevent hijackers from sneaking in behind the scenes.

Having a universal logout to sign out of all accounts is one step for usability, and one large leap for security in an evolving authentication landscape.

Tags: Identity Provider, SSO, Single-Factor Authentication, Single Sign-On (SSO), Two-Factor Authentication, web applications, Custom Branding, SSO Proxy, Jump Page, universal logout, SAML SLO, SAML Single Logout, cookies, secure login