OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Potential Errata: Session Index on logou t

> I still think this information belongs in the core spec in 
> the description of <LogoutRequest> <SessionIndex> element as 
> the concept isn't a profile specific issue.  

I think it is profile-specific. The definition of SessionIndex in Logout in
core was intentionally loose and was tightened up specifically as it
pertained to the SSO profile. The assumption was that only the profiles were
explicit about the relationship between SSO and SLO, and only in the web
browser or ECP case.

> I am also concerned about the fact that the profile says 
> there MUST be at least one element since the IdP may, for 
> whatever reason, choose to not support the concept of 
> multiple simultaneous sessions (it's not that uncommon) in 
> which case it wouldn't provide a SessionIndex and therefore 
> the logout would not need one.

Line 551 of profiles:

If the identity provider supports the Single Logout profile, defined in
Section 4.4, any such authentication statements MUST include a SessionIndex
attribute to enable per-session logout requests by the service provider.

I don't recall any specific reasoning for that statement, but it's there. I
don't think it matters much, it just means the IdP sends the same thing
every time.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]