RE: [security-services] SLO processing rules

["Scott Cantor" <cantor.2@osu.edu>]

> 1. I would propose changing 
> "that the authority SHOULD try and contact each SP even if one fails" 
> to 
> "that the authority MUST try and contact each SP even if one fails" 
> 
> I think that every SP would want to be contacted and should 
> not be omitted because some other SP is offline or does not 
> support a back-channel binding.

I used SHOULD because other language around the operation pretty much ceded
most decision making to the session authority about how to process the
logout. For example, the very beginning of the rules say the SA SHOULD do a
set of things in a certain order, but doesn't say MUST. That's not new
language.

> 2. Is it worth it to consider two partial logout subcodes. 
> One for a partial logout where all sps that support the 
> required binding were contacted successfully (but there was 
> at least one sp that did not support the required binding). 
> And a second subcode where at least one sp that supports the 
> binding fails. The second one would preclude the first. 

I don't think it matters. Failure is failure, because the concept of
retrying doesn't work in the current protocol.

> I think it's important that (1) be changed. I don't know if 
> (2) really provides much. 

I've ceded the token on the specs, so if people want this changed, Rob can
apply it, but there are multiple SHOULDs that would have to be changed and
the change is not to the new material but to basic rule that the protocol
operated by, which was the SA is in charge.

> Note that there's actually a third case/subcode possible for 
> a partial logout. This is when front-channel bindings are 
> used and the IDP provides the user with an interface to 
> select the SPs to log out from.

In this case, there's no subcode at all because there's no LogoutResponse to
send to an SP to complete the logout. The IdP is running the show.

-- Scott