RE: [security-services] SLO processing rules

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: [security-services] SLO processing rules

Scott, two comments.

1. I would propose changing
"that the authority SHOULD try and contact each SP even if one fails"
to
"that the authority MUST try and contact each SP even if one fails"

I think that every SP would want to be contacted and should not be omitted because some other SP is offline or does not support a back-channel binding.

2. Is it worth it to consider two partial logout subcodes. One for a partial logout where all sps that support the required binding were contacted successfully (but there was at least one sp that did not support the required binding). And a second subcode where at least one sp that supports the binding fails. The second one would preclude the first.

I think it's important that (1) be changed. I don't know if (2) really provides much.

Note that there's actually a third case/subcode possible for a partial logout. This is when front-channel bindings are used and the IDP provides the user with an interface to select the SPs to log out from. And the user does not select logout from all SPs. In this case, it is a partial logout but the user causes some SPs to remain in-session. As I mentioned above, I don't know if this detail of subcodes provides added value. So perhaps the single PartialLogout subcode is sufficient in all cases.

Tom.

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Thursday, January 06, 2005 3:06 AM
To: 'Greg Whitehead'; security-services@lists.oasis-open.org
Subject: RE: [security-services] SLO processing rules

Because we're under a deadline for the ballot, I have integrated the changes
proposed by Greg (which I believe achieve the goals expressed by various
reviewers recently...Conor, Thomas, etc.) into draft-3b of core and
profiles.

The changes mostly impact core but aren't large or invasive.

In profiles, I simply reordered the sections that discuss front and back
channel use in step 1 of the profile (SP send LogoutRequest to IdP) and
added a SHOULD so that the profile favors use of front-channel when
possible. It also explains why briefly.

Lines affected in profiles 3b-diff:
        1156
        1214-1246 (big cut and paste, not actually much changed)

In core, I added a new subcode called PartialLogout, and then replaced the
error handling rules in section 3.7.3.2 with three new paragraphs that
explain:

- that the top level code indicates logout with respect to the session
authority only

- that the authority SHOULD try and contact each SP even if one fails

- that if not all SPs were reached, it should return the PartialLogout
subcode in its Success response

That's it. I think it's all much cleaner now. Changes start on line 2642 of
core-3b-diff.

Greg/Conor/others, please review if at all possible in the morning and get
any comments to the list asap.

-- Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: security-services-help@lists.oasis-open.org