OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SLO: Sucess or Error Status code when Session Timeout at the SP

On 4/29/15, 8:31 PM, "Bernd Zwattendorfer" <zwatte@gmx.net> wrote:

>A user was authenticated at multiple SPs and now wants to do a single
>logout. Therefore, the IdP issues multiple <LogoutRequest> messages to
>the individual SPs. However, we assume that at one SP the session with
>the user has already be terminated before reception of the
><LogoutRequest> (e.g. through SP session timeout).
>Our question is: How should this SP respond to the IdP?

If it can process the message and ensure that the appropriate session is 
terminated, then that's success. If not, it's not.

>Will the <LogoutResponse> include a
>"urn:oasis:names:tc:SAML:2.0:status:Success" status code because the
>session is already terminated and the user is logged out (even not
>because of the LogoutRequest),

Why it's terminated doesn't really enter into it. The problem is that it's 
very unlikely the SP could know that the session was already terminated if 
it's already terminated, it's a catch 22. You can't just assume which 
session it is, so you have to be able to match it up.

>The SAML spec does not provide any information on such a scenario.

I think you're reading something into it that doesn't need to be there. It 
doesn't say anything because it doesn't matter why the result is what it 
is, it's an objective determination with an unambiguous answer.

Can I match the session? Is it terminated? If so, success. If not, failure.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]