Security

When you log into any SSO-enabled services you can principally access any other SSO-enable services without entering your credentials. Therefore, it is critical to log out and close your browser before you leave your workstation.

Why do I have to close my browser before I leave?

Once you log out from the SSO service a new session will require your central username and password. However, some services may still keep your already established sessions active. For security reasons it is essential to close your web browser before leaving your workstation.

From the perspective of single logout there are two types of SSO-enabled services:

  • Services directly controlled by SSO
  • Services using SSO to initiate their own session

The services that are directly controlled by SSO keep validating whether you are allowed to access the given website throughout your session. If you log out from SSO then all these services (directly controlled by SSO) will terminate your session even if you have not explicitly logged out from them. An example of such services the “Open Learners Grades” service by the Office of Open Learning.

On the other hand, there are services, for example, Courselink, that use SSO to initiate their own session and then they manage this session themselves. When you log out from SSO, these services may keep your session active until it times out or you log out explicitly from the given service. If you close your browser windows before you leave your workstation nobody will be able to hijack your session.