[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Logout from a single SP.
So even if I was same user same browser
/same window (just clicking a link resourced on a different SP) and going from
SPA to SPB Is then up to the IDP to decide when the
Auth Request comes from SPB whether to actually use the Same Index or Assertion
back to the SPB. [RSP] IDP’s must always generate a new assertion for
each SSO exchange to different SP’s. In SAML’s web SSO profile, the
assertion generated by the IDP for an SSO exchange with SP-A MUST include a SubjectConfirmationData
element with a “Recipient” attribute set to SP-A’s Assertion Consumer
Service URL. SP-A is supposed to check this attribute to ensure that
the assertion was intended for its ACS endpoint. If the same assertion was sent
to SP-B, it is supposed to be rejected by SP-B. I guess though the Assertion (in case
of SPB) could be different depending if the requirements/data in the request
(or policy etc.) requires the generation of a different Assertion. I guess in this case it would be nice to
distinguish the case of UserB using same browser etc. from the case of UserB
using a different mean or equipment in order to distinguish the sessions but I
guess this is more down to info passed from the client and implementation
specific. [RSP] To correctly implement the desired semantics, implementations
will usually have to track (via some implementation-specific manner), which browser/device
is in which session. For browsers, this might imply a special
implementation-specific “session” cookie, for example. Thanks. Giuseppe.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]