DACS_SIGNOUT(8) DACS Web Services Manual DACS_SIGNOUT(8)
NAME
dacs_signout - DACS signout service
SYNOPSIS
dacs_signout [dacsoptions[1]]
DESCRIPTION
This web service is part of the DACS suite.
The dacs_signout web service is invoked from a web browser to cause one or more sets of DACS credentials for the current federation[2],
stored as HTTP cookies, to be removed from the browser. This is done by replacing one or more existing cookies with cookies that have
expired. The effect is that the user agent signs out (logs off) identities previously obtained through dacs_authenticate(8)[3] or any other
DACS authentication method. A DACS-enabled portal will typically provide users with a link or web page form to invoke this service.
By default, all credentials are removed, but credentials can be selected for deletion based on a particular username (who the user was
authenticated as) or a particular jurisdiction (the jurisdiction that performed that authentication).
Should copies of the selected credentials exist outside of the browser, they may still be valid; only the browser's copies are destroyed.
The SIGNOUT_HANDLER[4] directive can optionally be used to specify where the user should be redirected before this service terminates,
provided FORMAT does not select a variety of XML output (see dacs.conf(5)[5]). If XML output is selected, a document conforming to
dacs_current_credentials.dtd[6] is returned.
Explicitly signing off using this web service is generally unnecessary because DACS credentials will either become invalid when their
lifetime is reached (see AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS[7]) or will be automatically deleted when the user's browser session
terminates (or a session with a trusted servlet ends). A user can also sign off by deleting his browser's DACS cookies. Middleware can
simply discard cookies.
As DACS credentials are relative to a particular federation of DACS servers, only those credentials that are associated with the federation
of the DACS server that receives the service request will be affected by this service. This implies that a user who wants to explicitly
sign out must do so for each federation in which he or she is currently authenticated.
Web Service Arguments
In addition to the standard CGI arguments[8], dacs_signout understands the following CGI arguments:
DACS_USERNAME
If present, all credentials associated with this username will be deleted. If not provided, the username in the credentials is
immaterial.
DACS_JURISDICTION
If present, all credentials associated with this jurisdiction (given as its JURISDICTION_NAME[9]) will be deleted. If not provided, the
jurisdiction in the credentials is immaterial.
COOKIE_SYNTAX
This optional parameter is as described for the dacs_authenticate(8)[3] service.
The optional parameters are used to delete only those credentials that match a particular username or jurisdiction (or both). If neither
parameter is specified in the service request, all DACS cookies associated with the federation that receives the service request will be
deleted.
The name matching method can be configured through the NAME_COMPARE[10] directive.
Note
DACS does not currently provide an inactivity timeout feature, but it may appear in a future release. One way to add it would be to
take advantage of the user tracking[11] capability, which can record all of a user's requests for DACS-wrapped services within a
federation. By simply comparing the current time with the time stamp of the user's last service request, the user's idle time can be
determined. If the idle time exceeds a configured maximum, dacs_acs(8)[12] would consider the user's credentials to be invalid
(effectively expired) and take appropriate action. A straightforward implementation would be a relatively simple enhancement to DACS;
its main drawback, for those that enable it, is the extra performance hit incurred from user tracking and having to compute idle time
during access control processing - whether this hit is significant will depend on your platforms, the configuration of your federation,
and user activity patterns.
EXAMPLES
To signout from all identities in the EXAMPLE federation, a user would simply invoke a URL like:
https://dss.example.com/cgi-bin/dacs/dacs_signout
To signout only from the identity EXAMPLE::FEDROOT:bobo, a URL like the following might be invoked:
https://fedroot.example.com/cgi-bin/dacs/dacs_signout?
DACS_USERNAME=bobo&DACS_JURISDICTION=FEDROOT
To signout from only those identities in the EXAMPLE federation having a username component bobo, invoke a URL like:
https://fedroot.example.com/cgi-bin/dacs/dacs_signout?DACS_USERNAME=bobo
This would signoff from EXAMPLE::FEDROOT:bobo and EXAMPLE::DSS:bobo, for instance.
DIAGNOSTICS
The program exits 0 if everything was fine, 1 if an error occurred.
SEE ALSO
dacs_authenticate(8)[3], dacs_current_credentials(8)[13], dacs_auth_agent(8)[14], dacs_auth_transfer(8)[15],
dacs_select_credentials(8)[16], dacsauth(1)[17], dacscred(1)[18]
The DACS distribution includes an example of a "log off" web page: html/examples/signout.html[19].
AUTHOR
Distributed Systems Software (www.dss.ca[20])
COPYING
Copyright2003-2012 Distributed Systems Software. See the LICENSE[21] file that accompanies the distribution for licensing information.
NOTES
1. dacsoptions
http://dacs.dss.ca/man/dacs.1.html#dacsoptions
2. current federation
http://dacs.dss.ca/man/dacs.1.html#current_federation
3. dacs_authenticate(8)
http://dacs.dss.ca/man/dacs_authenticate.8.html
4. SIGNOUT_HANDLER
http://dacs.dss.ca/man/dacs.conf.5.html#SIGNOUT_HANDLER
5. dacs.conf(5)
http://dacs.dss.ca/man/dacs.conf.5.html
6. dacs_current_credentials.dtd
http://dacs.dss.ca/man/../dtd-xsd/dacs_current_credentials.dtd
7. AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
http://dacs.dss.ca/man/dacs.conf.5.html#AUTH_CREDENTIALS_DEFAULT_LIFETIME_SECS
8. standard CGI arguments
http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
9. JURISDICTION_NAME
http://dacs.dss.ca/man/dacs.conf.5.html#JURISDICTION_NAME
10. NAME_COMPARE
http://dacs.dss.ca/man/dacs.conf.5.html#NAME_COMPARE
11. user tracking
http://dacs.dss.ca/man/dacs.1.html#tracking_user_activity
12. dacs_acs(8)
http://dacs.dss.ca/man/dacs_acs.8.html
13. dacs_current_credentials(8)
http://dacs.dss.ca/man/dacs_current_credentials.8.html
14. dacs_auth_agent(8)
http://dacs.dss.ca/man/dacs_auth_agent.8.html
15. dacs_auth_transfer(8)
http://dacs.dss.ca/man/dacs_auth_transfer.8.html
16. dacs_select_credentials(8)
http://dacs.dss.ca/man/dacs_select_credentials.8.html
17. dacsauth(1)
http://dacs.dss.ca/man/dacsauth.1.html
18. dacscred(1)
http://dacs.dss.ca/man/dacscred.1.html
19. html/examples/signout.html
http://dacs.dss.ca/man//examples/signout.html
20. www.dss.ca
http://www.dss.ca
21. LICENSE
http://dacs.dss.ca/man/../misc/LICENSE
DACS 1.4.27b 10/22/2012 DACS_SIGNOUT(8)