List Home All Archives Dates Threads Authors Subjects
saml-dev - RE: [saml-dev] Logout from a single SP. Message Thread: Previous | Next
  • From: "Conor P. Cahill" <>
  • To: "Giuseppe Sarno" <>
  • Date: Mon, 7 Nov 2005 20:29:21 -0500
Send Email to
Send new message
Reply to this message

Giuseppe Sarno wrote on 11/7/2005, 8:55 AM:

Hi just to reply to your last point:
As I said above, I think that the SP should be required to send the Session Index if it was in the assertion used to establish SessionB (athouhg I can't find anything that says that explicitly).   However, even lacking that, I don't think that an SP should be authorized to end sessions that were not associated with the SP (although the IdP may allow "trusted" SPs to do so when the reason is an "...:admin" because of the thought that if it wasn't user initiated there may be something strange going on and the IdP may want to play it safe -- obviously this is not a part of the SAML spec, but I think that a cautious IdP may do this, especially with partners that they "trust").
Isn't this though the principal behind the single Logout ? (SP initiated)
Are you advocating that only the IDP can actually initiate the Single Logout sequence ? and the SP can only initiate Logout for own sessions ? 
The SP can initiate single logout, but it should only be able to do so for authentication sessions that were associated with the SP not with sessions that had nothing to do with that SP.

If the user wants to truely cancell all active sessions everywhere, they should coordinate it through their IdP.

In general I think that the user will not want to do cross-session logout and that the IdP would only do this in extenuating circumstances that are security driven (perhaps when a user changes their password all existing sessions are cancelled and must be re-authenticated to continue).  For the most part SLO is a session based operation.


By Date: Previous | Next Current Thread By Thread: Previous | Next

  Mail converted by the most-excellent MHonArc 2.6.10