For case
2b, an MNI terminate message is sent from the SP to the IDP to
terminate the federation. It is up to the
SP as to whether the SAML session created by an Assertion from the IDP is logged
out. In general the SAML session SHOULD be logged out. [[TomW: this is the
difference from 1b that was proposed on the conference call. I still think that
perhaps this should be changed to SHOULD NOT as in 1b??]] When the
IDP receives an MNI terminate message, the IDP SHOULD remove or otherwise
invalidate the SAML session it has for the SP. To adhere to the SAML
specification requirements, the IDP and the SP MUST NOT send an SLO message with
the terminated NameID.
For case 2d, an
MNI terminate message is sent from the IDP to the SP to terminate the
federation. The IDP SHOULD NOT
[[TomW: we could change this to MAY, but I don't think it's appropriate, if we
don't 2d is identical to 1d]] send an SLO message to the SP prior to sending the
MNI terminate message. The IDP SHOULD remove or otherwise invalidate
the SAML session it has for
the SP. It is up to the SP as to
whether the SAML session created by an Assertion from the IDP is logged out when
the SP receives the MNI terminate message. In general the SAML session
SHOULD NOT be logged out. [[TomW: I think this is appropriate but others
can argue that a SHOULD should be
used??]] To adhere to the SAML specification requirements, the
IDP and the SP MUST NOT send an SLO message after the MNI terminate message
because the NameID has been
terminated.
[[TomW: Keep in mind that there is no
normative text around what should happen to a SAML ID federation for a user
that is "locally removed" at a provider -- irregardless of whether it is
user-initiated or admin-initiated. If the provider does not do an exhaustive
propagation (e.g., via an MNI Termination to all partners where an ID Federation
exists), the federated identities basically become
orphaned.]]
Tom.