OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Logout from a single SP.

Giuseppe Sarno wrote on 10/27/2005, 7:31 AM:


I'm trying to understand whether SAML2.0 can support the following case:

userA logged on SPA,SPB,SPC and authenticated by IDP.
Assumption:  IDP will have to track the userA session to implement the single logout.

Now userA wants to logout from SPB and only from SPB.
How can now tell the IDP that this session is gone (and only this one) so that it can update the session records?

This is supported out-of-band from the IdP side, but not from the SP side. 

For the IdP side, while I believe this may not be explicitly documented in the specifications, it is doable.  For example,  the IdP can have a "session status" page on their web site that shows where the user is currently logged into within that "session" and provide the user with a button to logout any of those sessions (and if the user clicks on the button, the IdP would then send an SLO notification message to just the selected SP(s)).

However, there is not a way (as far as I remember) for the SP to say to the IdP, "Hey, I'm not going to use this assertion any longer" (otherwise known as "the user logged out from me").    This use case has not come up before as far as I am aware (and the SP is, of course, able to implement this functionality locally, there just isn't a way for the SP to notify the IdP about its local decision).


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]