[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Question about logout
> - Latter in the process, SP send to IDP a logout request with > a nameID containing the persistant identifier. > What should do the IDP ? > kill the user session : this user will have to reauthenticate > or nothing special, the user still have the session > established with its > real name A logout request from an SP to the IdP is a session logout request meaning that the intent is to terminate the users session at the IdP and at all SPs for which the IdP has generated assertions based upon the same session at the IdP. That is why it is commonly referred to as Single Log Out. > And same question if IDP received a logout request with a > NameID containing the user real name > kill the user session : this user will have to reauthenticate > or nothing special, the user still have the session > established with the > persistent ID The logout request must include the name for which the user is known at the sending party. If the IdP gets a request with some other value it should treat that as a failure, even if the IdP could *guess* which user they caller is talking about. So, SP1 can only send the NameID values that it recevied from the idP, it cannot send the user's login ID at the IdP, nor can it send the NameID value received by SP2 or any other SP. The user can, of course, go to the IdP themselves and initiate an SLO from there using their current authenticate session, but SPs can only do so using the NameID issued to them. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]