OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] sstc-saml-profiles-2.0-figures-01.pdf

> On page 2 for Logout functionality, I assume 4. 
> <LogoutResponse> may not occur?

In practice, this is strictly true. We're not doing transactions here,
nobody guarantees delivery and you can't force anybody to do anything. But
normatively, if you implement the Logout profile at all, you're supposed to
send a response if you get something recognizable as a LogoutRequest.

If you're doing SOAP, this just means you should respond to the request when
you close the connection. If you're doing front-channel, you have to return
the user to the requester anyway, which amounts to sending a response. If
you don't do that, you're being a pretty bad citizen in the community of

If you don't get a response, of course, then you have to treat the logout as
incomplete at that SP. What you do then is a pretty good question, but it's
bound to confuse the user and I think if I was implementing it, I'd be
inclined to make *no* representation that any logout happened at all. I
don't think partial success is very understandable to users.

The good thing is that all of this applies equally to all the profiles, and
the security considerations around DOS attacks and such are roughly the

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]