OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SLO Flow Questions

Title: SLO Flow Questions
I’m trying to make sure I understand the LogoutRequest message and usage correctly.

In a LogoutRequest, there is the required NameID (or BaseID or EncryptedID) element that will have end user identifier in it. It will also have some optional attributes and that’s where I want to make sure my understanding is correct.

First, if the original SAML Response from the IdP to the SP has a format attribute as part of its NameID element, then that format must be returned in the LogoutRequest by the SP.

Second, if the original SAML Response also had a NameQualifier attribute as part of the NameID, then that must be returned in the LogoutRequest also.

Third, if the original AuthnRequest from the SP to the IdP included a NameIDPolicy with an attribute of SPNameQualifier, then the IdP would have included that attribute in the Response as an attribute of the NameID as well and then that attribute must be included in the LogoutRequest.

So, now if my IdP gets the LogoutRequest without a SessionIndex (since its optional), those attributes are what I have available to determine what session for the principal that I need to kill.

I’m assuming that I don’t have the user agent in the picture, that this is handled back-channel and any cookie method for session management doesn’t exist.

So, general question, is my understanding correct?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]