[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] SLO Flow Questions
> How would the IdP get the SPNameQualifier if it's not in the AuthnRequest? The identity of the SP is always in the request (the issuer). The NameIDPolicy gets used to request affiliation-based identifiers, in which case it has to be in the response (because the default wouldn't apply) in which case obviously the SP is going to include it in a logout request. > That was the only way I could track a source of it reading the spec. So the > IdP receives it as part of the AuthnRequest, puts it in the Response, so the > SP must put it in the LogoutRequest. Yes, but it isn't generally going to be in the NameIDPolicy. Affiliations are pretty specialized use cases. > But general rule applies like you said, if it's in the Response sent by the > IdP, the SP must put it in the LogoutRequest. It's not a MUST, that's what I'm trying to say. As an SP, that's the right way to implement it, but as a matter of conformance, it's not a MUST and assuming it isn't the ideal choice for an IdP. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]