OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Informing SP about session invalidated in IDP


Can anyone explain me how the session management happens between SP and IDP through, OpenAM, As I am new to this concept and unable to understand.


On Sun, Jan 19, 2014 at 3:54 AM, Cantor, Scott <cantor.2@osu.edu> wrote:
On 1/18/14, 11:25 AM, "Tom Scavo" <trscavo@gmail.com> wrote:
>
>Unlike newer cross-domain SSO solutions (such as OpenID Connect), SAML
>has no session management built into the spec.
> Yes, an *implementation* of SAML Web Browser SSO will have to deal with
>sessions but the *specification* is silent on this point. As a
>practical matter, session management is handled independently at the
>IdP and SP (which is why SAML Single Logout doesn't really work).

That's not why logout doesn't work, and to the extent it does or doesn't,
OpenID will be in the same situation.

>> if I have multiple copy of
>> SP sitting in geographically distributed region sitting behind a load
>> balancer,how the message reaches a particular SP as the DNS name for all
>> will be same.

That's a different issue. If you load balance, then your implementation
has to ensure cache coherency across systems. That's not visible to any
standard and never could be. The client only makes one request to an
address, and it's not up to the standard to deal with clustering because
it's not visible to the layers the standard can address.

-- Scott





--
Thanks & Regards
Phalguni Mukherjee


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]