RE: [security-services] Two potential errata items

["Scott Cantor" <cantor.2@osu.edu>]

I took action items to propose clarification text for these items. Jahan,
please create errata for them.

First, Rob's issue about the use of default indexed endpoints in metadata:
>
http://lists.oasis-open.org/archives/security-services/200510/msg00026.html 

Suggest we modify Metadata, line 272:

"In any such sequence of indexed endpoints that share a common element name
and namespace (i.e. all instances of <md:AssertionConsumerService> within a
role), the default endpoint is..."

Finally, YALI (yet another logout issue):
>
http://lists.oasis-open.org/archives/security-services/200511/msg00004.html 

I reviewed all the text in core and profiles and I conclude that Conor was
right. There's already text in core that's explicit about the relationship
between SessionIndex in LogoutRequest and AuthnStatement, so his suggestion,
modified a bit, makes sense:

Change Core, line 2546:

"The index of the session between the pricipal identified by the
<saml:BaseID>, <saml:NameID>, or <saml:EncryptedID> element, and the session
authority. This must correlate to the SessionIndex attribute, if any, in the
<saml:AuthnStatement> of the assertion used to establish the session that is
being terminated."

For clarity around why an SP MUST include SessionIndex in the SLO profile, I
suggest changing Profiles, line 1302-1304 to:

"If the requester is a session participant, it MUST include at least one
<SessionIndex> element in the request. (Note that the session participant
always receives a SessionIndex attribute in the <saml:AuthnStatement>
elements that it receives to initiate the session, per section 4.1.4.2 of
the Web Browser SSO Profile.)

If the requester is a session authority (or acting on its behalf), then it
MAY omit any such elements to indicate the termination of all of the
principal's applicable sessions."


-- Scott