[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] sstc-saml-profiles-2.0-figures-01.pdf
> On page 2 for Logout functionality, I assume 4. > <LogoutResponse> may not occur? In practice, this is strictly true. We're not doing transactions here, nobody guarantees delivery and you can't force anybody to do anything. But normatively, if you implement the Logout profile at all, you're supposed to send a response if you get something recognizable as a LogoutRequest. If you're doing SOAP, this just means you should respond to the request when you close the connection. If you're doing front-channel, you have to return the user to the requester anyway, which amounts to sending a response. If you don't do that, you're being a pretty bad citizen in the community of providers. If you don't get a response, of course, then you have to treat the logout as incomplete at that SP. What you do then is a pretty good question, but it's bound to confuse the user and I think if I was implementing it, I'd be inclined to make *no* representation that any logout happened at all. I don't think partial success is very understandable to users. The good thing is that all of this applies equally to all the profiles, and the security considerations around DOS attacks and such are roughly the same. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]