Re: [saml-dev] SLO: Sucess or Error Status code when Session Timeout at the SP

["Cantor, Scott" <cantor.2@osu.edu>]

On 4/29/15, 8:31 PM, "Bernd Zwattendorfer" <zwatte@gmx.net> wrote:


>
>A user was authenticated at multiple SPs and now wants to do a single
>logout. Therefore, the IdP issues multiple <LogoutRequest> messages to
>the individual SPs. However, we assume that at one SP the session with
>the user has already be terminated before reception of the
><LogoutRequest> (e.g. through SP session timeout).
>
>Our question is: How should this SP respond to the IdP?

If it can process the message and ensure that the appropriate session is 
terminated, then that's success. If not, it's not.

>Will the <LogoutResponse> include a
>"urn:oasis:names:tc:SAML:2.0:status:Success" status code because the
>session is already terminated and the user is logged out (even not
>because of the LogoutRequest),

Why it's terminated doesn't really enter into it. The problem is that it's 
very unlikely the SP could know that the session was already terminated if 
it's already terminated, it's a catch 22. You can't just assume which 
session it is, so you have to be able to match it up.

>The SAML spec does not provide any information on such a scenario.

I think you're reading something into it that doesn't need to be there. It 
doesn't say anything because it doesn't matter why the result is what it 
is, it's an objective determination with an unambiguous answer.

Can I match the session? Is it terminated? If so, success. If not, failure.

-- Scott