OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Single Logout and Session Index clarification requested



I am in need of clarification regarding the use of SessionIndex for Single Logout using the SOAP binding.


The core specification states that for Logout in general, the SessionIndex is optional and that, when the session participant receives the request "if no <SessionIndex> elements are supplied, then all sessions associated with the principal MUST be invalidated." and that an eligible assertion to logout would be one where the subject strongly matches the BaseID, NameID or EncryptedID in the logout request (as well as the session index and that the NotOnOrAfter attributes are still valid).


My question is regarding a specific use case.  One in which the users all login anonymously.


                When a LogoutRequest is sent over SOAP using a back channel, the session participant will only be able to identify the user based on the contents of the LogoutRequest (i.e., no cookie available for additional information).  If all users on a session participant are anonymous (i.e., they all have the same subject) and the session authority sends a LogoutRequest without a SessionIndex, my interpretation of the spec is that all the sessions that strongly match that same subject be logged out; resulting in all users being logged out.  In this use case, should the session authority be required to send the SessionIndex to indicate the proper anonymous user?


Thank you,


Joann Kent

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]