OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [Fwd: [security-services] Optionality of SP support of a SOAPinterface for IdP-initiated SLO]


Hi,

I just noticed that, in fact, we currently do not mandate SP-initiated 
SOAP-based SLO at the IdP either. Since the same issue arises, I would 
like to amend my previous proposal to make the following two changes to [1]

* Mandate Single Logout (IdP-initiated) - SOAP support by SPs
* Mandate Single Logout (SP-initiated) - SOAP support by IdPs

Both of these changes affect the table at line 151 of [1] - each 
changing a cell from 'OPTIONAL' to 'MUST'

These changes would mitigate a potential security issue where one party 
discovers that a user's credentials have been compromised and would like 
to logout that user at other parties, but does not have the user present 
at their site (and thus cannot use HTTP redirects).

[1]  
http://www.oasis-open.org/apps/org/workgroup/security/download.php/8718/sstc-saml-conformance-2.0-draft-05-diff.pdf

Cheers,

- JohnK
 
ext John Kemp wrote:

> Hi everyone,
>
> As if I hadn't generated enough discussion around this topic already, 
> I thought I'd stick my oar in the water again ;) Regarding the 
> attached email, I would like to propose a motion to amend the current 
> draft of the SAML conformance document (draft 05) changing the 
> contents of a cell of the table at line 151 of [1], indexed by the row 
> marked 'Single Logout (IdP-initiated) - SOAP' and the column marked 
> 'SP', from 'OPTIONAL' to 'MUST', in mitigation of the concern noted 
> below.
>
> I hope we can discuss this briefly on the call tomorrow.
>
> Cheers,
>
> - JohnK
>
> ------------------------------------------------------------------------
>
> Subject:
> [security-services] Optionality of SP support of a SOAP interface for 
> IdP-initiated SLO
> From:
> "ext John Kemp" <john.kemp@nokia.com>
> Date:
> Tue, 10 Aug 2004 14:22:02 -0400
> To:
> "'SAML'" <security-services@lists.oasis-open.org>
>
> To:
> "'SAML'" <security-services@lists.oasis-open.org>
>
>
> Hi all,
>
> Although there was a vote on the Aug 3rd call to make SOAP-based SLO 
> support optional in the conformance document (line 132 [1] 5th line of 
> table from the bottom), I just wanted to point out again that there is 
> a fairly important security issue with respect to this decision (as I 
> also noted on the call in [2]).
>
> If an IdP discovers that a user's credentials have been stolen or 
> otherwise compromised, but the user is not present at the IdPs site, 
> thus preventing the IdP from re-directing the user to individual SPs 
> for logout, then without any method to contact the SP (ie. a SOAP SLO 
> interface) the IdP will be unable to communicate that the IdP can no 
> longer vouch for the supplied user's credentials.
>
> I will note that several potential adopters of SAML/Liberty-based 
> technology questioned Liberty members about this issue before we 
> started to recommend that SPs support the SOAP interface for this very 
> reason.
>
> So, my preferred course of action would be to require the SP-complete 
> (ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO 
> interface (change the OPTIONAL to a MUST in the SP column for 
> IdP-initiated SOAP-based SLO).
>
> If, however, the TC is against that course of action, I would highly 
> recommend that we add text somewhere in the specification that 
> recommends that SPs implement a SOAP SLO interface, and explains the 
> issue. Again, I would note that this was a point of issue with several 
> potential adopters of this technology.
>
> Cheers,
>
> - johnk
>
> [1] 
> http://www.oasis-open.org/apps/org/workgroup/security/download.php/8514/sstc-saml-conformance-2.0-draft-04-diff.pdf 
>
> [2] 
> http://www.oasis-open.org/archives/security-services/200408/msg00019.html
>
>
>
> To unsubscribe from this mailing list (and be removed from the roster 
> of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. 
>
>
>
>
>------------------------------------------------------------------------
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.
>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]