OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Logout from a single SP.

Giuseppe Sarno wrote on 10/27/2005, 12:20 PM:

So even if I was same user same browser /same window (just clicking a link resourced on a different SP) and going from SPA to SPB
Is then up to the IDP to decide when the Auth Request comes from SPB whether to actually use the Same Index or Assertion back to the SPB.
It is up to the IdP as to whether or not the authentication "session" is the same across SPA and SPB (and it is even up to the IdP as to whether or not it supports multiple authentication sessions for the user at all).

In most situations, the Assertion would be different between SPA and SPB (because of different Audience Restrictions,  validity periods, nameIDs, etc.) but it is possible that a legally implemented IdP could return the same Assertion for SPA and SPB -- possible, but not likely in the vast majority (99+% in my opinion) of cases.
I guess though the Assertion (in case of SPB) could be different depending if the requirements/data in the request (or policy etc.) requires the generation of a different Assertion.
Yes. The only kind of use case I can come up with where the same assertions could be used for SPA and SPB is when there is no NameID in the Subject (instead perhaps, an Attribute saying the user was a particular class of individual), no Audience Restriction, the exact same validity period, no concern about correlation of users across different sites and no concern about security (since SPA would be able to present the token to SPB and SPB would not be able to tell if the token came from a direct user session or from SPA) -- like I said, not very likely to happen in the real world (at least I think it shouldn't happen very often).
I guess in this case it would be nice to distinguish the case of UserB using same browser etc. from the case of UserB using a different mean or equipment in order to distinguish the sessions but I guess this is more down to info passed from the client and implementation specific.
As you suggest, there are many non-SAML ways for an SP to tell where the user is coming from.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]