[Fwd: [security-services] Optionality of SP support of a SOAP interfacefor IdP-initiated SLO]

[John Kemp <john.kemp@nokia.com>]

Hi everyone,

As if I hadn't generated enough discussion around this topic already, I 
thought I'd stick my oar in the water again ;) Regarding the attached 
email, I would like to propose a motion to amend the current draft of 
the SAML conformance document (draft 05) changing the contents of a cell 
of the table at line 151 of [1], indexed by the row marked 'Single 
Logout (IdP-initiated) - SOAP' and the column marked 'SP', from 
'OPTIONAL' to 'MUST', in mitigation of the concern noted below.

I hope we can discuss this briefly on the call tomorrow.

Cheers,

- KohnK

--- Begin Message ---

• From: "ext John Kemp" <john.kemp@nokia.com>
• To: "'SAML'" <security-services@lists.oasis-open.org>
• Date: Tue, 10 Aug 2004 14:22:02 -0400

Hi all,

Although there was a vote on the Aug 3rd call to make SOAP-based SLO 
support optional in the conformance document (line 132 [1] 5th line of 
table from the bottom), I just wanted to point out again that there is a 
fairly important security issue with respect to this decision (as I also 
noted on the call in [2]).

If an IdP discovers that a user's credentials have been stolen or 
otherwise compromised, but the user is not present at the IdPs site, 
thus preventing the IdP from re-directing the user to individual SPs for 
logout, then without any method to contact the SP (ie. a SOAP SLO 
interface) the IdP will be unable to communicate that the IdP can no 
longer vouch for the supplied user's credentials.

I will note that several potential adopters of SAML/Liberty-based 
technology questioned Liberty members about this issue before we started 
to recommend that SPs support the SOAP interface for this very reason.

So, my preferred course of action would be to require the SP-complete 
(ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO interface 
(change the OPTIONAL to a MUST in the SP column for IdP-initiated 
SOAP-based SLO).

If, however, the TC is against that course of action, I would highly 
recommend that we add text somewhere in the specification that 
recommends that SPs implement a SOAP SLO interface, and explains the 
issue. Again, I would note that this was a point of issue with several 
potential adopters of this technology.

Cheers,

- johnk

[1] 
http://www.oasis-open.org/apps/org/workgroup/security/download.php/8514/sstc-saml-conformance-2.0-draft-04-diff.pdf
[2] 
http://www.oasis-open.org/archives/security-services/200408/msg00019.html



To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.

--- End Message ---