Signing out: more interesting than it looks
When people think about authentication, they focus on sign-in (aka login). Sign-in is the process by which a system verifies who the user or software trying to access protected resources. Password hashes, SAML, and even account registration are part of sign-in.
But what about when the process is done and access is no longer needed? This is known as sign-out (or logout or ending the session). And it’s a sticky problem.
This video from the RSA conference, which I previously shared, is a great vendor neutral overview of what sign out is, the difficulties in how it has been implemented over the years, and upcoming changes and challenges.
The video is about an hour long, but Vittorio is a great presenter who acknowledges the banality of sign-out and strives to make it interesting.
Distributed sign-out on the web and mobile, where you sign out from multiple applications or identity sources at one time, is a hard problem and only getting harder.
Does that matter to you, as someone who is integrating a CIAM system? It depends (the favorite answer of consultants everywhere).
Does your CIAM system stand alone, offering you a single source of truth for your customer identity and profile data? If so, this doesn’t matter too much. You might care about it more if you are hanging commercial off the shelf software off your CIAM provider (Zendesk, a forum); make sure they support sign-out correctly. Vimeo is one vendor that I’ve seen that doens’t offer correct support.
Do you offer federation to other sources of identity for consumers, such as Google, Facebook, Apple or WeChat? This matters more; you’ll want to follow their best practices for ending sessions. Read up on the docs.
Are you in the B2B2E space, where your customers have users of their own, often with enterprise identity sources, such as SAML IdPs or OIDC Providers? In this case, you should pay attention. Knowing that users are signed out of business critical applications when they click that logout button is important to your customers.
Dan