[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Use Cases
>I think that the IDP has to have some form of SessionIndex on it's assertions in order to properly handle Single-Log-Out in a world where the user may have >multiple simultaneous authentication sessions (such as browsers on two different computers -- where logging out of SSO on one computer shouldn't impact your >session on the other computer). This does not have to be a SessionIndex, it just has to be some form of state. >I think that the SP is on its own with respect to local session management. Groups of SPs can do this with some for of common domain cookie. I somewhat agree, as process can be a session manager and there is not a requirement to have a global session manager for all domains. >But the SP can't signal (to anybody other than the user) that it's local session has been terminated. We could add SPLO (SP Log Out) capability (for the SP to be >alble to tell the IdP that the SPs session initiated by the SSO has been terminated) to the SLO protocols if we feel that is necessary. However, the only effect >of such a call would be that the IdP would not send an SLO notificcation to thhat SP should real SLO be initiated at the IdP. The SPLO would not cause the IdP to >send SPLO notifications to other SPs. Is this a Liberty design artifact ? I agree that there should be a mechanism for a service provider to signal a session termination or re-authentication required. Anthony Nadalin | work 512.436.9568 | cell 512.289.4122
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]