SLO behavior with MNI

[ARI.KERMAIER@oracle.com]

I have a question regarding correct behavior in the following scenario:

 

1. SP and IdP perform browser SSO for a given principal, with IdP issuing an Assertion for NameID value "foo".

2. IdP initiates MNI to change NameID value to "bar".

3. IdP sends LogoutRequest to SP.

 

Which NameID value should be in the LogoutRequest?

 

The MNI processing rules defined in [SAMLCore] state [lines 2484-2487] that:

 

"If the identity provider requests that its identifier for the principal be changed by including a <NewID> (or
<NewEncryptedID>) element, the service provider MUST use the element's content as the
<saml:NameID> element content when subsequently communicating with the identity provider regarding
this principal."

 

That would seem to imply that the LogoutRequest should use "bar" as the NameID value.

 

However, the SLO processing rules [lines 2598-2601] state that:

 

"The session participant MUST apply 
the logout request message to any assertion that meets the 
following
conditions, even if the assertion arrives after the logout 
request:
• The subject of the assertion strongly matches the 
<saml:BaseID>, <saml:NameID>, or
<saml:EncryptedID> element 
in the <LogoutRequest>, as defined in Section 3.3.4."

 

That would seem to say that a LogoutRequest with NameID "bar" would not "strongly match" the SSO Assertion with NameID "foo", and so the SP must return a LogoutResponse with failure status.

 

Thoughts?

 

Ari Kermaier

Oracle Corporation