RE: [saml-dev] Logout from a single SP.

[Thomas Wisniewski <Thomas.Wisniewski@xxxxxxxxxxx>]

Agreed.

-----Original Message-----
From: Conor P. Cahill [mailto:concahill@xxxxxxx] 
Sent: Tuesday, November 08, 2005 8:37 AM
To: Thomas Wisniewski
Cc: Giuseppe Sarno; Philpott, Robert; saml-dev@xxxxxxxxxxxxxxxxxxxx
Subject: RE: [saml-dev] Logout from a single SP.




Thomas Wisniewski wrote on 11/7/2005, 9:09 PM: 




The intent of the spec suggests that the SP, say SPa, can initiate a logout
and that this would imply that the IDP would attempt to log out all sessions
(at all SPs) that were tied to the IDP session used to create the sessoin at
SPa.

 

I guess you are proposing one implementation where the IDP does not do this,
which I believe is allowed by the spec, as long as you return some
unsuccessful response.

No.  What you described is the correct behavior for when session index is
supplied and that is what the IdP should do. 

I am saying that if the SP does not provide a session index to the IdP, the
IdP probably should *NOT* cancell authentication sessions at the IdP which
were *NEVER* associated with that SP.  

Of course, given Scot's note in the SSO profile having a MUST for the
session index makes this somewhat moot, but that is how we got to this
point.

I was trying to clarifi that while the IdP can cancell all active
authentication sessions, I think an SP can only impact authentication
sessions that have had login sessions established at that SP.

Conor



 

Tom.



-----Original Message-----
From: Conor P. Cahill [mailto:concahill@xxxxxxx <mailto:concahill@xxxxxxx> ]

Sent: Monday, November 07, 2005 8:29 PM
To: Giuseppe Sarno
Cc: Philpott, Robert; saml-dev@xxxxxxxxxxxxxxxxxxxx
<mailto:saml-dev@xxxxxxxxxxxxxxxxxxxx> 
Subject: RE: [saml-dev] Logout from a single SP.




Giuseppe Sarno wrote on 11/7/2005, 8:55 AM: 


Hi just to reply to your last point:

 

As I said above, I think that the SP should be required to send the Session
Index if it was in the assertion used to establish SessionB (athouhg I can't
find anything that says that explicitly).   However, even lacking that, I
don't think that an SP should be authorized to end sessions that were not
associated with the SP (although the IdP may allow "trusted" SPs to do so
when the reason is an "...:admin" because of the thought that if it wasn't
user initiated there may be something strange going on and the IdP may want
to play it safe -- obviously this is not a part of the SAML spec, but I
think that a cautious IdP may do this, especially with partners that they
"trust").


Isn't this though the principal behind the single Logout ? (SP initiated)

Are you advocating that only the IDP can actually initiate the Single Logout
sequence ? and the SP can only initiate Logout for own sessions ?  


The SP can initiate single logout, but it should only be able to do so for
authentication sessions that were associated with the SP not with sessions
that had nothing to do with that SP.

If the user wants to truely cancell all active sessions everywhere, they
should coordinate it through their IdP.

In general I think that the user will not want to do cross-session logout
and that the IdP would only do this in extenuating circumstances that are
security driven (perhaps when a user changes their password all existing
sessions are cancelled and must be re-authenticated to continue).  For the
most part SLO is a session based operation.

Conor














--------------------------------------------------------------------- This
publicly archived list supports open discussion on implementing the SAML
OASIS Standard. To minimize spam in the archives, you must subscribe before
posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
<http://www.oasis-open.org/mlmanage/>  Alternately, using email:
list-[un]subscribe@xxxxxxxxxxxxxxxxxxxx
<mailto:un]subscribe@xxxxxxxxxxxxxxxxxxxx>  List archives:
http://lists.oasis-open.org/archives/saml-dev/
<http://lists.oasis-open.org/archives/saml-dev/>  Committee homepage:
http://www.oasis-open.org/committees/security/
<http://www.oasis-open.org/committees/security/>  List Guidelines:
http://www.oasis-open.org/maillists/guidelines.php
<http://www.oasis-open.org/maillists/guidelines.php>  Join OASIS:
http://www.oasis-open.org/join/ <http://www.oasis-open.org/join/>