...
- Sessions at the identity provider are used to provide single sign-on, removing the need for additional authentication. An IdP can also cache information for speed and track sessions at service providers for logout.
- Sessions at the discovery service can automate IdP selection, removing the need for additional user interaction.
- Sessions at the service provider persist a login across individual HTTP requests from a single client. They can be maintained on a coarse or fine grain, with individual sessions for each application.
- Each application can (and usually does) maintain distinct sessions with the browser.
All these sessions are pretty much independent and distinct: any session can exist with or without any other session, and the expiration of any one session does not imply the expiration of any other session. Some sessions can be associated with each other through use of common identifiers. This makes single log-out a very difficult problem.
| Info | ||
|---|---|---|
| ||
For reference, see the draft OpenID Connect Session Management specification. |
...