RE: [security-services] SLO processing rules

["Scott Cantor" <cantor.2@osu.edu>]

Because we're under a deadline for the ballot, I have integrated the changes
proposed by Greg (which I believe achieve the goals expressed by various
reviewers recently...Conor, Thomas, etc.) into draft-3b of core and
profiles.

The changes mostly impact core but aren't large or invasive.

In profiles, I simply reordered the sections that discuss front and back
channel use in step 1 of the profile (SP send LogoutRequest to IdP) and
added a SHOULD so that the profile favors use of front-channel when
possible. It also explains why briefly.

Lines affected in profiles 3b-diff:
	1156
	1214-1246 (big cut and paste, not actually much changed)

In core, I added a new subcode called PartialLogout, and then replaced the
error handling rules in section 3.7.3.2 with three new paragraphs that
explain:

- that the top level code indicates logout with respect to the session
authority only

- that the authority SHOULD try and contact each SP even if one fails

- that if not all SPs were reached, it should return the PartialLogout
subcode in its Success response

That's it. I think it's all much cleaner now. Changes start on line 2642 of
core-3b-diff.

Greg/Conor/others, please review if at all possible in the morning and get
any comments to the list asap.

-- Scott