General Guideance -BackChannel

Care Identity Service (CIS)
1

General question.
Is supporting backchannel logout a hard requirement of integration with CIS2? Documentation to me does not explicitly state.

I understand it’s benefits and we are openid connect, have support and would use it as we would want to end all sessions from an experience perspective.

However i’m just trying to clarify if this is the stance in a general context.

Thanks

2

Its use is currently strongly recommended where your users are predominantly existing smartcard users and are used to pulling the smartcard to end sessions. It is essentially providing a migration path for user behaviour towards a more standards based service, where users and applications will take more responsibility for managing and ending sessions when their work is done.

It’s not mandatory, but may be required depending on what resources and data is being accessed with the authentication, and essentially who is empowered to accept the risk of not having it.
It is particularly important on shared machines where the user is not locking or logging off the OS.

There will be some guidance changes coming out around this in the not too distant future.

3

Hi @adrian.hall2 I’ve stumbled across this thread as I have a similar question re BCL. I see from your post that guidance may have been revised by now. Has there been any change to your response above? Many thanks.

4

Hi Adrian is no longer with the product team, but the advice still stands. Using Back Channel Logout isn’t a requirement, but is strongly advised. The primary intent of BCL was to support smartcard pull logic and mirror existing behaviour, however it works for all other authenticators but currently in a limited number of scenarios.
A major piece of our work on the roadmap is to support SSO and session management, where the ability to terminate a session and thus the connected RPs becomes important and BCL will be one way of achieving this.

5

Thank you John, much appreciated, that makes sense. We will look to implement but I just wanted to have all options on the table, hence checking the latest advice.