OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] SLO Flow Questions

> First, if the original SAML Response from the IdP to the SP has a format
> attribute as part of its NameID element, then that format must be returned
> in the LogoutRequest by the SP.

There are rules in core for what the "implied" values of NameID attributes
are when they're omitted, but Format only has rules for equating missing
with "unspecified".

> Second, if the original SAML Response also had a NameQualifier attribute
> part of the NameID, then that must be returned in the LogoutRequest also.

If it's not set, it's either absent or is assumed to be the IdP's name when
the SP and IdP are communicating. So, technically, no, there is no MUST
there. It would be a bug to require it, but it also isn't advisable to omit
it for no reason just to test somebody's code for meticulous accuracy...

> Third, if the original AuthnRequest from the SP to the IdP included a
> NameIDPolicy with an attribute of SPNameQualifier, then the IdP would have
> included that attribute in the Response as an attribute of the NameID as
> well and then that attribute must be included in the LogoutRequest.

The AuthnRequest is irrelevant. The rules are the same as for NameQualifier,
apart from the default if absent and relevant being the SP's name.

> So, now if my IdP gets the LogoutRequest without a SessionIndex (since its
> optional), those attributes are what I have available to determine what
> session for the principal that I need to kill.

Well, the NameID is how you identify the principal. You're then obligated to
identify all sessions active for that principal.

> I'm assuming that I don't have the user agent in the picture, that this
> is handled back-channel and any cookie method for session management
> doesn't exist.


> So, general question, is my understanding correct?

An IdP has to be somewhat intelligent about the qualifiers. If the NameID
Format is such that the qualifiers aren't used, then their absence doesn't
mean to default them, but to ignore them. It really depends on how the IdP
uses the format.

In general, an SP should simply send back what the IdP sent to it. There's
really no way to get it wrong doing that.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]