[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Informing SP about session invalidated in IDP
On 1/18/14, 11:25 AM, "Tom Scavo" <trscavo@gmail.com> wrote:That's not why logout doesn't work, and to the extent it does or doesn't,
>
>Unlike newer cross-domain SSO solutions (such as OpenID Connect), SAML
>has no session management built into the spec.
> Yes, an *implementation* of SAML Web Browser SSO will have to deal with
>sessions but the *specification* is silent on this point. As a
>practical matter, session management is handled independently at the
>IdP and SP (which is why SAML Single Logout doesn't really work).
OpenID will be in the same situation.
That's a different issue. If you load balance, then your implementation
>> if I have multiple copy of
>> SP sitting in geographically distributed region sitting behind a load
>> balancer,how the message reaches a particular SP as the DNS name for all
>> will be same.
has to ensure cache coherency across systems. That's not visible to any
standard and never could be. The client only makes one request to an
address, and it's not up to the standard to deal with clustering because
it's not visible to the layers the standard can address.
-- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]