[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Optionality of SP support of a SOAP interface for IdP-initiated SLO
Hi all, Although there was a vote on the Aug 3rd call to make SOAP-based SLO support optional in the conformance document (line 132 [1] 5th line of table from the bottom), I just wanted to point out again that there is a fairly important security issue with respect to this decision (as I also noted on the call in [2]). If an IdP discovers that a user's credentials have been stolen or otherwise compromised, but the user is not present at the IdPs site, thus preventing the IdP from re-directing the user to individual SPs for logout, then without any method to contact the SP (ie. a SOAP SLO interface) the IdP will be unable to communicate that the IdP can no longer vouch for the supplied user's credentials. I will note that several potential adopters of SAML/Liberty-based technology questioned Liberty members about this issue before we started to recommend that SPs support the SOAP interface for this very reason. So, my preferred course of action would be to require the SP-complete (ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO interface (change the OPTIONAL to a MUST in the SP column for IdP-initiated SOAP-based SLO). If, however, the TC is against that course of action, I would highly recommend that we add text somewhere in the specification that recommends that SPs implement a SOAP SLO interface, and explains the issue. Again, I would note that this was a point of issue with several potential adopters of this technology. Cheers, - johnk [1] http://www.oasis-open.org/apps/org/workgroup/security/download.php/8514/sstc-saml-conformance-2.0-draft-04-diff.pdf [2] http://www.oasis-open.org/archives/security-services/200408/msg00019.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]