[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [Fwd: [security-services] Optionality of SP support of a SOAPinterface for IdP-initiated SLO]
Hi, I just noticed that, in fact, we currently do not mandate SP-initiated SOAP-based SLO at the IdP either. Since the same issue arises, I would like to amend my previous proposal to make the following two changes to [1] * Mandate Single Logout (IdP-initiated) - SOAP support by SPs * Mandate Single Logout (SP-initiated) - SOAP support by IdPs Both of these changes affect the table at line 151 of [1] - each changing a cell from 'OPTIONAL' to 'MUST' These changes would mitigate a potential security issue where one party discovers that a user's credentials have been compromised and would like to logout that user at other parties, but does not have the user present at their site (and thus cannot use HTTP redirects). [1] http://www.oasis-open.org/apps/org/workgroup/security/download.php/8718/sstc-saml-conformance-2.0-draft-05-diff.pdf Cheers, - JohnK ext John Kemp wrote: > Hi everyone, > > As if I hadn't generated enough discussion around this topic already, > I thought I'd stick my oar in the water again ;) Regarding the > attached email, I would like to propose a motion to amend the current > draft of the SAML conformance document (draft 05) changing the > contents of a cell of the table at line 151 of [1], indexed by the row > marked 'Single Logout (IdP-initiated) - SOAP' and the column marked > 'SP', from 'OPTIONAL' to 'MUST', in mitigation of the concern noted > below. > > I hope we can discuss this briefly on the call tomorrow. > > Cheers, > > - JohnK > > ------------------------------------------------------------------------ > > Subject: > [security-services] Optionality of SP support of a SOAP interface for > IdP-initiated SLO > From: > "ext John Kemp" <john.kemp@nokia.com> > Date: > Tue, 10 Aug 2004 14:22:02 -0400 > To: > "'SAML'" <security-services@lists.oasis-open.org> > > To: > "'SAML'" <security-services@lists.oasis-open.org> > > > Hi all, > > Although there was a vote on the Aug 3rd call to make SOAP-based SLO > support optional in the conformance document (line 132 [1] 5th line of > table from the bottom), I just wanted to point out again that there is > a fairly important security issue with respect to this decision (as I > also noted on the call in [2]). > > If an IdP discovers that a user's credentials have been stolen or > otherwise compromised, but the user is not present at the IdPs site, > thus preventing the IdP from re-directing the user to individual SPs > for logout, then without any method to contact the SP (ie. a SOAP SLO > interface) the IdP will be unable to communicate that the IdP can no > longer vouch for the supplied user's credentials. > > I will note that several potential adopters of SAML/Liberty-based > technology questioned Liberty members about this issue before we > started to recommend that SPs support the SOAP interface for this very > reason. > > So, my preferred course of action would be to require the SP-complete > (ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO > interface (change the OPTIONAL to a MUST in the SP column for > IdP-initiated SOAP-based SLO). > > If, however, the TC is against that course of action, I would highly > recommend that we add text somewhere in the specification that > recommends that SPs implement a SOAP SLO interface, and explains the > issue. Again, I would note that this was a point of issue with several > potential adopters of this technology. > > Cheers, > > - johnk > > [1] > http://www.oasis-open.org/apps/org/workgroup/security/download.php/8514/sstc-saml-conformance-2.0-draft-04-diff.pdf > > [2] > http://www.oasis-open.org/archives/security-services/200408/msg00019.html > > > > To unsubscribe from this mailing list (and be removed from the roster > of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. > > > > >------------------------------------------------------------------------ > >To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php. >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]