|
|
|
|
saml-dev - RE: [saml-dev] Logout from a single SP.
|
Message Thread:
Previous |
Next
|
- From: "Scott Cantor" <cantor.2@osu.edu>
- To: "'Thomas Wisniewski'" <Thomas.Wisniewski@entrust.com>
- Date: Mon, 7 Nov 2005 21:21:15 -0500
- Send Email to saml-dev@lists.oasis-open.org:
- Send new message
- Reply to this message
|
> The intent of the spec suggests that the SP, say SPa, can
> initiate a logout and that this would imply that the IDP
> would attempt to log out all sessions (at all SPs) that were
> tied to the IDP session used to create the sessoin at SPa.
>
> I guess you are proposing one implementation where the IDP
> does not do this, which I believe is allowed by the spec, as
> long as you return some unsuccessful response.
I think the language is just vague in this thread. I think Conor meant
"session" in the sense of a set of IdP/SP sessions that are tied together at
the IdP, meaning the user logged into all of them with a single browser.
But if you're also logged into 3 other SPs via your phone, a logout at an SP
via the browser probably doesn't log you out of your phone.
That's the whole point of SessionIndex, so the IdP (or other session
authority) can isolate sessions at an SP based on the client as well as the
NameID.
If you want to sever all of your sessions at once, Conor's suggesting that's
an IdP driven thing, not an SP thing.
-- Scott
|
|