Réf. : RE: [saml-dev] Question about logout

[valerie.bauche@bull.net]

Just to be sure I understand well, let's take another example
IDP authenticate a user named user1
IDP send an assertion to SP1 with a federated id : 12345
IDP send an assertion to SP2 with the email adress as an id : user1@domain.com

If SP1 wants to send a logout request to IDP it must use the id 12345
If SP2 wants to send a logout request to IDP it must use the id user1@domain.com
In both case, IDP recognize the user user1 and terminate the session (and then propagate the logout to SP1 or SP2)

If IDP wants to send a logout request, it must use the id 12345 for SP1and user1@domain.com for SP2.
So, IDP has to keep trace of which SP is using which type of id.

Is that right ?

About this part :
"If the IdP gets a request with some other value
it should treat that as a failure, even if the IdP could *guess* which
user they caller is talking about."

Where is this constraint indicated in the spec ?

Valerie

"Cahill, Conor P" <conor.p.cahill@intel.com> 23/05/2007 14:02

Pour :        <valerie.bauche@BULL.NET>, <saml-dev@lists.oasis-open.org>         cc :                 Objet :        RE: [saml-dev] Question about logout

> - Latter in the process, SP send to IDP a logout request with 
> a nameID containing the persistant identifier.
> What should do the IDP ?
>        kill the user session : this user will have to reauthenticate
> or   nothing special, the user still have the session 
> established with its
> real name

A logout request from an SP to the IdP is a session logout
request meaning that the intent is to terminate the users session
at the IdP and at all SPs for which the IdP has generated assertions
based upon the same session at the IdP.  That is why it is commonly
referred to as Single Log Out.

> And same question if IDP received a logout request with a 
> NameID containing the user real name
>        kill the user session : this user will have to reauthenticate
> or   nothing special, the user still have the session 
> established with the
> persistent ID

The logout request must include the name for which the user is known 
at the sending party.   If the IdP gets a request with some other value
it should treat that as a failure, even if the IdP could *guess* which
user they caller is talking about.

So, SP1 can only send the NameID values that it recevied from the idP,
it cannot send the user's login ID at the IdP, nor can it send the
NameID
value received by SP2 or any other SP.

The user can, of course, go to the IdP themselves and initiate an SLO
from there using their current authenticate session, but SPs can only
do so using the NameID issued to them.

Conor