[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Potential Errata: Session Index on logou t
> I still think this information belongs in the core spec in > the description of <LogoutRequest> <SessionIndex> element as > the concept isn't a profile specific issue. I think it is profile-specific. The definition of SessionIndex in Logout in core was intentionally loose and was tightened up specifically as it pertained to the SSO profile. The assumption was that only the profiles were explicit about the relationship between SSO and SLO, and only in the web browser or ECP case. > I am also concerned about the fact that the profile says > there MUST be at least one element since the IdP may, for > whatever reason, choose to not support the concept of > multiple simultaneous sessions (it's not that uncommon) in > which case it wouldn't provide a SessionIndex and therefore > the logout would not need one. Line 551 of profiles: If the identity provider supports the Single Logout profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider. I don't recall any specific reasoning for that statement, but it's there. I don't think it matters much, it just means the IdP sends the same thing every time. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]