[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Logout from a single SP.
It is up to the IdP as to whether or not the authentication "session" is the same across SPA and SPB (and it is even up to the IdP as to whether or not it supports multiple authentication sessions for the user at all).So even if I was same user same browser /same window (just clicking a link resourced on a different SP) and going from SPA to SPBIs then up to the IDP to decide when the Auth Request comes from SPB whether to actually use the Same Index or Assertion back to the SPB.
Yes. The only kind of use case I can come up with where the same assertions could be used for SPA and SPB is when there is no NameID in the Subject (instead perhaps, an Attribute saying the user was a particular class of individual), no Audience Restriction, the exact same validity period, no concern about correlation of users across different sites and no concern about security (since SPA would be able to present the token to SPB and SPB would not be able to tell if the token came from a direct user session or from SPA) -- like I said, not very likely to happen in the real world (at least I think it shouldn't happen very often).I guess though the Assertion (in case of SPB) could be different depending if the requirements/data in the request (or policy etc.) requires the generation of a different Assertion.
As you suggest, there are many non-SAML ways for an SP to tell where the user is coming from.I guess in this case it would be nice to distinguish the case of UserB using same browser etc. from the case of UserB using a different mean or equipment in order to distinguish the sessions but I guess this is more down to info passed from the client and implementation specific.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]