RE: [security-services] Use Cases

[Anthony Nadalin <drsecure@us.ibm.com>]

>I think that the IDP has to have some form of SessionIndex on it's
assertions in order to properly handle Single-Log-Out in a world where the
user may have >multiple simultaneous authentication sessions (such as
browsers on two different computers -- where logging out of SSO on one
computer shouldn't impact your >session on the other computer).

This does not have to be a SessionIndex, it just has to be some form of
state.

>I think that the SP is on its own with respect to local session
management.  Groups of SPs can do this with some for of common domain
cookie.

I somewhat agree, as process can be a session manager and there is not a
requirement to have a global session manager for all domains.

>But the SP can't signal (to anybody other than the user) that it's local
session has been terminated.  We could add SPLO (SP Log Out) capability
(for the SP to be >alble to tell the IdP that the SPs session initiated by
the SSO has been terminated) to the SLO protocols if we feel that is
necessary.  However, the only effect >of such a call would be that the IdP
would not send an SLO notificcation to thhat SP should real SLO be
initiated at the IdP.  The SPLO would not cause the IdP to >send SPLO
notifications to other SPs.

Is this a Liberty design artifact ? I agree that there should be a
mechanism for a service provider to signal a session termination or
re-authentication required.

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122