[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Réf. : RE: [saml-dev] Question about logout
Just to be sure I understand well, let's take another example
IDP authenticate a user named user1
IDP send an assertion to SP1 with a federated id : 12345
IDP send an assertion to SP2 with the email adress as an id : user1@domain.com
If SP1 wants to send a logout request to IDP it must use the id 12345
If SP2 wants to send a logout request to IDP it must use the id user1@domain.com
In both case, IDP recognize the user user1 and terminate the session (and then propagate the logout to SP1 or SP2)
If IDP wants to send a logout request, it must use the id 12345 for SP1and user1@domain.com for SP2.
So, IDP has to keep trace of which SP is using which type of id.
Is that right ?
About this part :
"If the IdP gets a request with some other value
it should treat that as a failure, even if the IdP could *guess* which
user they caller is talking about."
Where is this constraint indicated in the spec ?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]