Re: [saml-dev] Informing SP about session invalidated in IDP

["Cantor, Scott" <cantor.2@osu.edu>]

On 1/18/14, 11:25 AM, "Tom Scavo" <trscavo@gmail.com> wrote:
>
>Unlike newer cross-domain SSO solutions (such as OpenID Connect), SAML
>has no session management built into the spec.
> Yes, an *implementation* of SAML Web Browser SSO will have to deal with
>sessions but the *specification* is silent on this point. As a
>practical matter, session management is handled independently at the
>IdP and SP (which is why SAML Single Logout doesn't really work).

That's not why logout doesn't work, and to the extent it does or doesn't,
OpenID will be in the same situation.

>> if I have multiple copy of
>> SP sitting in geographically distributed region sitting behind a load
>> balancer,how the message reaches a particular SP as the DNS name for all
>> will be same.

That's a different issue. If you load balance, then your implementation
has to ensure cache coherency across systems. That's not visible to any
standard and never could be. The client only makes one request to an
address, and it's not up to the standard to deal with clustering because
it's not visible to the layers the standard can address.

-- Scott