OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SLO processing rules

Because we're under a deadline for the ballot, I have integrated the changes
proposed by Greg (which I believe achieve the goals expressed by various
reviewers recently...Conor, Thomas, etc.) into draft-3b of core and

The changes mostly impact core but aren't large or invasive.

In profiles, I simply reordered the sections that discuss front and back
channel use in step 1 of the profile (SP send LogoutRequest to IdP) and
added a SHOULD so that the profile favors use of front-channel when
possible. It also explains why briefly.

Lines affected in profiles 3b-diff:
	1214-1246 (big cut and paste, not actually much changed)

In core, I added a new subcode called PartialLogout, and then replaced the
error handling rules in section with three new paragraphs that

- that the top level code indicates logout with respect to the session
authority only

- that the authority SHOULD try and contact each SP even if one fails

- that if not all SPs were reached, it should return the PartialLogout
subcode in its Success response

That's it. I think it's all much cleaner now. Changes start on line 2642 of

Greg/Conor/others, please review if at all possible in the morning and get
any comments to the list asap.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]