Re: [saml-dev] SLO Flow Questions

[Paul Hethmon <paul.hethmon@clareitysecurity.com>]

On 5/7/10 2:02 PM, "Scott Cantor" <cantor.2@osu.edu> wrote:

>> First, if the original SAML Response from the IdP to the SP has a format
>> attribute as part of its NameID element, then that format must be returned
>> in the LogoutRequest by the SP.
> 
> There are rules in core for what the "implied" values of NameID attributes
> are when they're omitted, but Format only has rules for equating missing
> with "unspecified".

Right. Not really worried about missing attributes, only where they are
coming from if they are present.

>> Third, if the original AuthnRequest from the SP to the IdP included a
>> NameIDPolicy with an attribute of SPNameQualifier, then the IdP would have
>> included that attribute in the Response as an attribute of the NameID as
>> well and then that attribute must be included in the LogoutRequest.
> 
> The AuthnRequest is irrelevant. The rules are the same as for NameQualifier,
> apart from the default if absent and relevant being the SP's name.

How would the IdP get the SPNameQualifier if it's not in the AuthnRequest?
That was the only way I could track a source of it reading the spec. So the
IdP receives it as part of the AuthnRequest, puts it in the Response, so the
SP must put it in the LogoutRequest.

But general rule applies like you said, if it's in the Response sent by the
IdP, the SP must put it in the LogoutRequest.

thanks,

Paul