|
|
saml-dev - RE: [saml-dev] Logout from a single SP.
|
Message Thread:
Previous |
Next
|
- From: Thomas Wisniewski <Thomas.Wisniewski@entrust.com>
- To: "Conor P. Cahill" <concahill@aol.com>, Giuseppe Sarno <gsarno@nortel.com>
- Date: Mon, 7 Nov 2005 21:09:23 -0500
- Send Email to saml-dev@lists.oasis-open.org:
- Send new message
- Reply to this message
|
Title: Message
The
intent of the spec suggests that the SP, say SPa, can initiate a logout and
that this would imply that the IDP would attempt to log out all sessions (at all
SPs) that were tied to the IDP session used to create the sessoin at
SPa.
I
guess you are proposing one implementation where the IDP does not do this, which
I believe is allowed by the spec, as long as you return some unsuccessful
response.
Tom.
Giuseppe Sarno wrote on 11/7/2005, 8:55
AM:
Hi just to
reply to your last point:
As I said above, I think that the SP
should be required to send the Session Index if it was in the assertion used
to establish SessionB (athouhg I can't find anything that says that
explicitly). However, even lacking that, I don't think that an
SP should be authorized to end sessions that were not associated with the SP
(although the IdP may allow "trusted" SPs to do so when the reason is an
"...:admin" because of the thought that if it wasn't user initiated there
may be something strange going on and the IdP may want to play it safe --
obviously this is not a part of the SAML spec, but I think that a cautious
IdP may do this, especially with partners that they
"trust").
Isn't this
though the principal behind the single Logout ? (SP
initiated)
Are you
advocating that only the IDP can actually initiate the Single Logout
sequence ? and the SP can only initiate Logout for own sessions ?
The SP can initiate single logout, but it
should only be able to do so for authentication sessions that were associated
with the SP not with sessions that had nothing to do with that SP.
If
the user wants to truely cancell all active sessions everywhere, they should
coordinate it through their IdP.
In general I think that the user will
not want to do cross-session logout and that the IdP would only do this in
extenuating circumstances that are security driven (perhaps when a user
changes their password all existing sessions are cancelled and must be
re-authenticated to continue). For the most part SLO is a session based
operation.
Conor
---------------------------------------------------------------------
This publicly archived list supports open discussion on implementing the SAML
OASIS Standard. To minimize spam in the archives, you must subscribe before
posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org List
archives: http://lists.oasis-open.org/archives/saml-dev/ Committee homepage:
http://www.oasis-open.org/committees/security/ List Guidelines:
http://www.oasis-open.org/maillists/guidelines.php Join OASIS:
http://www.oasis-open.org/join/
|
|