[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: [security-services] Optionality of SP support of a SOAP interfacefor IdP-initiated SLO]
Hi everyone, As if I hadn't generated enough discussion around this topic already, I thought I'd stick my oar in the water again ;) Regarding the attached email, I would like to propose a motion to amend the current draft of the SAML conformance document (draft 05) changing the contents of a cell of the table at line 151 of [1], indexed by the row marked 'Single Logout (IdP-initiated) - SOAP' and the column marked 'SP', from 'OPTIONAL' to 'MUST', in mitigation of the concern noted below. I hope we can discuss this briefly on the call tomorrow. Cheers, - KohnK
--- Begin Message ---
- From: "ext John Kemp" <john.kemp@nokia.com>
- To: "'SAML'" <security-services@lists.oasis-open.org>
- Date: Tue, 10 Aug 2004 14:22:02 -0400
Hi all, Although there was a vote on the Aug 3rd call to make SOAP-based SLO support optional in the conformance document (line 132 [1] 5th line of table from the bottom), I just wanted to point out again that there is a fairly important security issue with respect to this decision (as I also noted on the call in [2]). If an IdP discovers that a user's credentials have been stolen or otherwise compromised, but the user is not present at the IdPs site, thus preventing the IdP from re-directing the user to individual SPs for logout, then without any method to contact the SP (ie. a SOAP SLO interface) the IdP will be unable to communicate that the IdP can no longer vouch for the supplied user's credentials. I will note that several potential adopters of SAML/Liberty-based technology questioned Liberty members about this issue before we started to recommend that SPs support the SOAP interface for this very reason. So, my preferred course of action would be to require the SP-complete (ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO interface (change the OPTIONAL to a MUST in the SP column for IdP-initiated SOAP-based SLO). If, however, the TC is against that course of action, I would highly recommend that we add text somewhere in the specification that recommends that SPs implement a SOAP SLO interface, and explains the issue. Again, I would note that this was a point of issue with several potential adopters of this technology. Cheers, - johnk [1] http://www.oasis-open.org/apps/org/workgroup/security/download.php/8514/sstc-saml-conformance-2.0-draft-04-diff.pdf [2] http://www.oasis-open.org/archives/security-services/200408/msg00019.html To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.--- End Message ---
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]