[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: [saml-dev] Logout from a single SP.

Got it, I agree. Thanx.

Tom.

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Monday, November 07, 2005 9:21 PM
> To: 'Thomas Wisniewski'
> Cc: saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] Logout from a single SP.
>
>
> > The intent of the spec suggests that the SP, say SPa, can
> > initiate a logout and that this would imply that the IDP
> > would attempt to log out all sessions (at all SPs) that were
> > tied to the IDP session used to create the sessoin at SPa.
> > 
> > I guess you are proposing one implementation where the IDP
> > does not do this, which I believe is allowed by the spec, as
> > long as you return some unsuccessful response.
>
> I think the language is just vague in this thread. I think Conor meant
> "session" in the sense of a set of IdP/SP sessions that are
> tied together at
> the IdP, meaning the user logged into all of them with a
> single browser.
>
> But if you're also logged into 3 other SPs via your phone, a
> logout at an SP
> via the browser probably doesn't log you out of your phone.
>
> That's the whole point of SessionIndex, so the IdP (or other session
> authority) can isolate sessions at an SP based on the client
> as well as the
> NameID.
>
> If you want to sever all of your sessions at once, Conor's
> suggesting that's
> an IdP driven thing, not an SP thing.
>
> -- Scott
>