OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Réf. : RE: [saml-dev] Question about logout


 

Just to be sure I understand well, let's take another example
IDP authenticate a user named user1
IDP send an assertion to SP1 with a federated id : 12345
IDP send an assertion to SP2 with the email adress as an id : user1@domain.com

If SP1 wants to send a logout request to IDP it must use the id 12345
If SP2 wants to send a logout request to IDP it must use the id user1@domain.com
In both case, IDP recognize the user user1 and terminate the session (and then propagate the logout to SP1 or SP2)

If IDP wants to send a logout request, it must use the id 12345 for SP1and user1@domain.com for SP2.
So, IDP has to keep trace of which SP is using which type of id.

Is that right ?  
Yes.
About this part :
"If the IdP gets a request with some other value
it should treat that as a failure, even if the IdP could *guess* which
user they caller is talking about.
"

Where is this constraint indicated in the spec ?  
Lines 1299-1301 of the Profiles spec. From a security point of view, letting someone sit there and guess possible other IDs for the user would be a substantial security and/or privacy hole.
 
Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]