OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] handling of multiple SP logout


> In the test group, we had a general agreement that if SP-B returned an
error
> status, the IdP should send Success/PartialLogout to SP-A.

[RSP] Yes... it's probably obvious, but for completeness you're missing
one additional requirement... if SP-B returns an error status to the IdP
in a LogoutResponse "AND the IdP successfully logs the user out of the
IdP", then that IdP must send Success+PartialLogout to the SP that
originated the LogoutRequest.  The IdP could somehow fail to log the
user out of the IdP.  If so, then it would return an error back to the
original SP.

> 
> The area we chiefly need guidance on was the status returned when SP-B
> received a LogoutRequest from the IdP after it had already terminated
the
> session. It appears that either Responder or Success would be
permissible.
> 
[RSP] IMO, yes.

> The purpose of this test scenario was primarily to create a situation
so
> that the IdP did return a PartialLogout status to the originating SP
and
> test out that functionality. Perhaps the best method to do that would
be to
> disable the SP-B endpoint so that the IdP is unable to contact it.

[RSP] Yep - that's how I'd test it.

> 
> Kyle Meadors
> DGI
> 
> * * * * * * * * * * * * * * * * * * * * * * * *
> CONFIDENTIALITY DISCLAIMER
> This email, including attachments, is confidential and proprietary. It
> constitutes exclusive communication solely to the addressee. Any
entity
> other than the intended addressee is prohibited from use of this
> communication for any purpose. This email, including attachments, may
not be
> distributed, whole or in part.
> * * * * * * * * * * * * * * * * * * * * * * * *
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Monday, August 03, 2009 1:12 PM
> To: robert.philpott@rsa.com; kyle@drummondgroup.com;
> security-services@lists.oasis-open.org
> Subject: RE: [security-services] handling of multiple SP logout
> 
> robert.philpott@rsa.com wrote on 2009-08-03:
> > See below, but I think we could have an issue in defining the
"correct"
> > behavior here w.r.t passing or failing a conformance test...
> 
> I don't think you can require anything here because the SP isn't
required to
> remember a session once it's locally terminated.
> 
> > The spec isn't really precise on this use case. I personally think
it's
> > best to pretend it worked and send "success" because of the spec
wording
> > related to #2 below...
> 
> For the user experience, you absolutely SHOULD do that, but you can't
> require it.
> 
> > To be more precise, the "IdP action" Scott is referring to is
whether
> > the IdP is able log out the user's session at the IdP.  It is not
> > related to what happens at any of the SP's.
> 
> Right.
> 
> > Of course if the IdP receives an error from an SP due to item #1
above,
> > technically it has to report back a "PartialLogout" second-level
status
> > to the SP that originated the LogoutRequest.
> 
> Right. That's all spelled out, is my point. Could be clearer, but I
don't
> think "clear" and "logout" really belong in the same sentence.
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]