site logout does not release openid session

[blaine]

I am using <openid-login> form auth with a simple all-defaults <logout/>.

When I log out with /j_spring_security_logout, I lose my site principal as expected, but something is retained which should not be, because I can't log back in again. If I have concurrenty-control with error-if-maximum-exceeded, my attempt to log back in is always rejected, after I succeed at the provider site, with "Maximum sessions of 1 for this principal exceeded.".

I am de-selecting the "Remember this approval" on the provider form, and it indeed presents me with the choice to allow or deny access to my site, and passes me back to my site if I say yes, so it looks to have nothing to do with the provider retaining anything.

I don't know if I should try to modify the /j_spring_security_logout action to clear the session, which I would think it would do already, or if I should dig into Spring Security's Openid-specific classes to see if some openid-side collection is being retained. For now I'm disabling error-if-maximum-exceeded, but I would really like to use the setting for what it was designed for. Any tips will be appreciated.

[Rob Winch]

OpenID does not provide a way to perform Single Logout. If you want this type of feature you should use something like CAS or SAML. The alternative is to write a custom extension for OpenID that does perform Single Logout.