[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Single Logout and Session Index clarification requested
Friends, I am in need of clarification regarding the use of
SessionIndex for Single Logout using the SOAP binding. The core specification states that for Logout in general,
the SessionIndex is optional and that, when the session participant receives
the request "if no <SessionIndex> elements are supplied, then all
sessions associated with the principal MUST be invalidated." and that an
eligible assertion to logout would be one where the subject strongly matches
the BaseID, NameID or EncryptedID in the logout request (as well as the session
index and that the NotOnOrAfter attributes are still valid). My question is regarding a specific use case. One in
which the users all login anonymously. When
a LogoutRequest is sent over SOAP using a back channel, the session participant
will only be able to identify the user based on the contents of the
LogoutRequest (i.e., no cookie available for additional information). If
all users on a session participant are anonymous (i.e., they all have the same
subject) and the session authority sends a LogoutRequest without a
SessionIndex, my interpretation of the spec is that all the sessions that
strongly match that same subject be logged out; resulting in all users being
logged out. In this use case, should the session authority be required to
send the SessionIndex to indicate the proper anonymous user? Thank you, Joann Kent |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]