RE: [saml-dev] Logout from a single SP.

["Giuseppe Sarno" <gsarno@nortel.com>]

Title: Message

Hi I farther looked into this:

 

On Page 61 it is said:

If the sender is the authority that provided an assertion containing an

authentication statement linked to the principal's current session, the session participant MUST invalidate

the principal's session(s) referred to by the <saml:BaseID>, <saml:NameID>, or

<saml:EncryptedID> element, and any <SessionIndex> elements supplied in the message. If no

<SessionIndex> elements are supplied, then all sessions associated with the principal MUST be

invalidated.

It seem indicating that the Principal can have multiple SessionIndexes and as such different AuthAssertions associated with him (Is this right??)

And in this case the Logout request could contain just the SessionIndex the SP wants to remove.

 

How can this happen ?

 

Example:

If the user access SPA and the IDP creates AssertionA with SessionIndexA and then he goes to SPB would he get AssertionB/SessionIndexB?

or still AssertionA/SessionIndexA ? or even AssertionB/SessionIndexA ?

 

 

thanks.

Giuseppe.

 

 

 

 -----Original Message-----
From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: 27 October 2005 13:07
To: Sarno, Giuseppe [MOP:GM15:EXCH]
Cc: saml-dev@lists.oasis-open.org
Subject: Re: [saml-dev] Logout from a single SP.

Giuseppe Sarno wrote on 10/27/2005, 7:31 AM:

Hi,

I'm trying to understand whether SAML2.0 can support the following case:

userA logged on SPA,SPB,SPC and authenticated by IDP.
Assumption:  IDP will have to track the userA session to implement the single logout.

Now userA wants to logout from SPB and only from SPB.
How can now tell the IDP that this session is gone (and only this one) so that it can update the session records?

This is supported out-of-band from the IdP side, but not from the SP side. 

For the IdP side, while I believe this may not be explicitly documented in the specifications, it is doable.  For example,  the IdP can have a "session status" page on their web site that shows where the user is currently logged into within that "session" and provide the user with a button to logout any of those sessions (and if the user clicks on the button, the IdP would then send an SLO notification message to just the selected SP(s)).

However, there is not a way (as far as I remember) for the SP to say to the IdP, "Hey, I'm not going to use this assertion any longer" (otherwise known as "the user logged out from me").    This use case has not come up before as far as I am aware (and the SP is, of course, able to implement this functionality locally, there just isn't a way for the SP to notify the IdP about its local decision).

Conor