[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SLO final LogoutResponse with SOAP
Hi,Looking at the SAML profile spec 4.4.3.5 point there is the following statement: "The response is sent to the original session participant, using a SAML binding consistent with the binding used in the original request, the capability of the responder, and the availability of the user agent at the identity provider. Assuming an asynchronous binding was used in step 1, then any binding supported by
both entities MAY be used." Now what makes me puzzled is how is the following scenario handled? * IdP supports HTTP-Redirect and HTTP-POST bindings for SLO * SP supports only SOAP SLO endpoint * SP needs to initiate logout process In this scenario according to 4.4.3.3:"In general, the binding with which the original request was received in step 1 does not dictate the binding that may be used in this step except that as noted in step 1, using a synchronous binding that bypasses the user agent constrains the identity provider to use a similar binding to propagate additional requests."
So the SP should send a LogoutRequest with HTTP-Redirect binding to the IdP, the IdP should perform logout with the other SPs optionally and then send back a LogoutResponse to the original SP, but where and how? Since SP only supports SOAP, it should receive a SOAP message, but then how should the SP respond to the incoming LogoutResponse SOAP request? Should it send back a yet another LogoutResponse?!
Has anyone implemented this scenario of SLO? cheers, Peter
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]