OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Implementation questino for an SLO after an MNI Termination


> Assuming a user is logged in via saml using a saml persistent 
> identifier format. Then either from the IDP or SP, they 
> perform an MNI terminate protocol. My interpretation is that 
> once the terminate is completed, then either party MUST NOT 
> use the terminated persistent identifier. This basically 
> implies that SLO is no longer possible bewteen the two 
> providers. I think this is the correct interpretation. 
> Furthermore, what happens at each respective partner, related 
> to the saml session that was established at the outset, is up 
> to each partner.

I think there are at least two relevant sections. Under the description of
<Terminate/> rules, it says that indeed the SP/IdP can choose to terminate
an active session if it wishes, implying that formal SLO is not going to
happen.

But you also have the end of that section that notes lag time is an issue,
and it's arguably worth remebering values for some period of time just to
smooth over any messages that come in after the fact.

I guess if I were implementing, I'd probably have more of a "mark dead" flag
in the record, not accept new sessions with it, but handle logout/etc. as
well as possible until I purge the record.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]