OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Optionality of SP support of a SOAP interface for IdP-initiated SLO

Hi all,

Although there was a vote on the Aug 3rd call to make SOAP-based SLO 
support optional in the conformance document (line 132 [1] 5th line of 
table from the bottom), I just wanted to point out again that there is a 
fairly important security issue with respect to this decision (as I also 
noted on the call in [2]).

If an IdP discovers that a user's credentials have been stolen or 
otherwise compromised, but the user is not present at the IdPs site, 
thus preventing the IdP from re-directing the user to individual SPs for 
logout, then without any method to contact the SP (ie. a SOAP SLO 
interface) the IdP will be unable to communicate that the IdP can no 
longer vouch for the supplied user's credentials.

I will note that several potential adopters of SAML/Liberty-based 
technology questioned Liberty members about this issue before we started 
to recommend that SPs support the SOAP interface for this very reason.

So, my preferred course of action would be to require the SP-complete 
(ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO interface 
(change the OPTIONAL to a MUST in the SP column for IdP-initiated 
SOAP-based SLO).

If, however, the TC is against that course of action, I would highly 
recommend that we add text somewhere in the specification that 
recommends that SPs implement a SOAP SLO interface, and explains the 
issue. Again, I would note that this was a point of issue with several 
potential adopters of this technology.


- johnk


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]