|
|
saml-dev - RE: [saml-dev] Logout from a single SP.
|
Message Thread:
Previous |
Next
|
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: Scott Cantor <cantor.2@osu.edu>
- Date: Mon, 7 Nov 2005 22:19:36 -0500
- Send Email to saml-dev@lists.oasis-open.org:
- Send new message
- Reply to this message
|
Title: RE: [saml-dev] Logout from a single SP.
Got it, I agree. Thanx.
Tom.
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Monday, November 07, 2005 9:21 PM
> To: 'Thomas Wisniewski'
> Cc: saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] Logout from a single SP.
>
>
> > The intent of the spec suggests that the SP, say SPa, can
> > initiate a logout and that this would imply that the IDP
> > would attempt to log out all sessions (at all SPs) that were
> > tied to the IDP session used to create the sessoin at SPa.
> >
> > I guess you are proposing one implementation where the IDP
> > does not do this, which I believe is allowed by the spec, as
> > long as you return some unsuccessful response.
>
> I think the language is just vague in this thread. I think Conor meant
> "session" in the sense of a set of IdP/SP sessions that are
> tied together at
> the IdP, meaning the user logged into all of them with a
> single browser.
>
> But if you're also logged into 3 other SPs via your phone, a
> logout at an SP
> via the browser probably doesn't log you out of your phone.
>
> That's the whole point of SessionIndex, so the IdP (or other session
> authority) can isolate sessions at an SP based on the client
> as well as the
> NameID.
>
> If you want to sever all of your sessions at once, Conor's
> suggesting that's
> an IdP driven thing, not an SP thing.
>
> -- Scott
>
|
|
Mail converted by the most-excellent MHonArc 2.6.10
|