OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Single Logout and Session Index clarification requested


I believe  you have one of the following choices for the environment you are describeing:

·         Assign random transient identifiers in the subject of each identifier (still meets the requirements for anonymous access as long as you don’t reuse the identifier) and then use this identifier on the logout.

·         assign the assertion ID to the session Index and use that on both the assertion and logout request.

·         Don’t support logout (since you can’t figure out which session to terminate without one of the above).




From: Kent, Joann J [mailto:Joann.Kent@ca.com]
Sent: Wednesday, June 24, 2009 4:26 PM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Single Logout and Session Index clarification requested




I am in need of clarification regarding the use of SessionIndex for Single Logout using the SOAP binding.


The core specification states that for Logout in general, the SessionIndex is optional and that, when the session participant receives the request "if no <SessionIndex> elements are supplied, then all sessions associated with the principal MUST be invalidated." and that an eligible assertion to logout would be one where the subject strongly matches the BaseID, NameID or EncryptedID in the logout request (as well as the session index and that the NotOnOrAfter attributes are still valid).


My question is regarding a specific use case.  One in which the users all login anonymously.


                When a LogoutRequest is sent over SOAP using a back channel, the session participant will only be able to identify the user based on the contents of the LogoutRequest (i.e., no cookie available for additional information).  If all users on a session participant are anonymous (i.e., they all have the same subject) and the session authority sends a LogoutRequest without a SessionIndex, my interpretation of the spec is that all the sessions that strongly match that same subject be logged out; resulting in all users being logged out.  In this use case, should the session authority be required to send the SessionIndex to indicate the proper anonymous user?


Thank you,


Joann Kent

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]