RE: Single Logout

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: RE: Single Logout

Hi, let me add a 4th item:

4. Assuming SLO is IDP-initiated and the config is such that some SPs support HTTP Redirect only and some support SOAP only, can the IDP send some with one binding and some with the other binding (assuming there are no other out-of-band conditions that exist)?

Tom.

 -----Original Message-----
From:   Thomas Wisniewski 
Sent:   Thursday, December 16, 2004 3:49 PM
To:     security-services@lists.oasis-open.org
Subject:        Single Logout

Unfortunately we were not able to test out the details of SLO at last week's interop. Here are a couple of issues that I still have as unresolved (perhaps they are captured in Greg's list re: interop items).

1. SamlProf line 1199. It's not clear why this section discusses how the IDP would propagate logout msgs to other session participants (vs. for example the next paragraph which talks about async bindings and make no reference to it). In any case, the wording say "would then propagate ... using a synchronous binding". Does this imply MUST, I think it does and should state it. And a similar stmt should exist in the async binding section.  So for example, if the initial LogoutRequest from SP to IDP is via SOAP, the IDP cannot send LogoutRequest msgs to other PS via an HTTP (front-channel) binding. Correct?

Additionally, line 1231 section 4.4.3.3, "same fashion" is not strong enough, or does not imply (to me) that we are discussing "bindings" as in front-channel or back-channel.  Instead it should say the binding used MUST be the same channel as requested in 4.4.3.1.

2. SamlProf LIne 1263-4, talks about error handling. It is left up to implementers as to whether the IDP should try all SPs, and then if there is one or more errors, return an error  vs. stopping on the first error seen.

SamlCore 2620-2624, leaves this open as well. I think it would make more sense to say implementers should try and logout at all participants and return and error in the end if at least one failed (i.e., best-case effort). Thoughts?

3.SamlProf Line 1191 says "If multiple identity providers are involved...". How does a session (as described in the sentence before this line), apply to multiple IDPs (if this is thru some IDP proxy, wouldn't the proxy send the request to the original IDP or IDP proxy, etc...)? SamlCore 2507-11 suggests there is only one IDP to send the request to.

Thanks, Tom.