[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Logout from a single SP.
Absolutely.It seem indicating that the Principal can have multiple SessionIndexes and as such different AuthAssertions associated with him (Is this right??)
Correct.And in this case the Logout request could contain just the SessionIndex the SP wants to remove.
The same user is logged in from 2 or more different "locations"... Note that locations include different browsers, sometimes different instances of the same browser, different devices, different computers, etc, etc. There are even reasonable situations where the IDP could in a single browser context support multiple sessions for the user.How can this happen ?
There is no requirement as to the session index value across different providers. The key issue is that internally at the IdP, the IdP is able to figure out which authentication "session" the SP is referring to when the SP sends a message to the IdP (and vice-versa as the user could also be visiting the same SP from two different IdP authenticaiton sessions) (e.g. I could be shopping at Amazon from my phone and from my computer at the same time).Example:If the user access SPA and the IDP creates AssertionA with SessionIndexA and then he goes to SPB would he get AssertionB/SessionIndexB?or still AssertionA/SessionIndexA ? or even AssertionB/SessionIndexA ?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]