List Home All Archives Dates Threads Authors Subjects
saml-dev - RE: [saml-dev] Logout from a single SP. Message Thread: Previous | Next
  • From: Thomas Wisniewski <>
  • To: Scott Cantor <>
  • Date: Mon, 7 Nov 2005 22:19:36 -0500
Send Email to
Send new message
Reply to this message
Title: RE: [saml-dev] Logout from a single SP.

Got it, I agree. Thanx.


> -----Original Message-----
> From: Scott Cantor []
> Sent: Monday, November 07, 2005 9:21 PM
> To: 'Thomas Wisniewski'
> Cc:
> Subject: RE: [saml-dev] Logout from a single SP.
> > The intent of the spec suggests that the SP, say SPa, can
> > initiate a logout and that this would imply that the IDP
> > would attempt to log out all sessions (at all SPs) that were
> > tied to the IDP session used to create the sessoin at SPa.
> > 
> > I guess you are proposing one implementation where the IDP
> > does not do this, which I believe is allowed by the spec, as
> > long as you return some unsuccessful response.
> I think the language is just vague in this thread. I think Conor meant
> "session" in the sense of a set of IdP/SP sessions that are
> tied together at
> the IdP, meaning the user logged into all of them with a
> single browser.
> But if you're also logged into 3 other SPs via your phone, a
> logout at an SP
> via the browser probably doesn't log you out of your phone.
> That's the whole point of SessionIndex, so the IdP (or other session
> authority) can isolate sessions at an SP based on the client
> as well as the
> NameID.
> If you want to sever all of your sessions at once, Conor's
> suggesting that's
> an IdP driven thing, not an SP thing.
> -- Scott

By Date: Previous | Next Current Thread By Thread: Previous | Next

  Mail converted by the most-excellent MHonArc 2.6.10