security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: SLO behavior with MNI
- From: ARI.KERMAIER@oracle.com
- To: security-services@lists.oasis-open.org
- Date: Thu, 24 Jul 2008 13:18:10 -0700 (PDT)
I have a question
regarding correct behavior in the following scenario:
1. SP and IdP
perform browser SSO for a given principal, with IdP issuing an Assertion
for NameID value "foo".
2. IdP initiates MNI
to change NameID value to "bar".
3. IdP sends
LogoutRequest to SP.
Which NameID value
should be in the LogoutRequest?
The MNI processing
rules defined in [SAMLCore] state [lines 2484-2487] that:
"If the identity
provider requests that its identifier for the principal be changed by including
a <NewID> (or
<NewEncryptedID>) element, the service provider
MUST use the element's content as the
<saml:NameID> element content
when subsequently communicating with the identity provider regarding
this
principal."
That would seem to
imply that the LogoutRequest should use "bar" as the NameID
value.
However, the SLO
processing rules [lines 2598-2601] state that:
"The session participant MUST apply
the logout request message to any assertion that meets the
following
conditions, even if the assertion arrives after the logout
request:
• The subject of the assertion strongly matches the
<saml:BaseID>, <saml:NameID>, or
<saml:EncryptedID> element
in the <LogoutRequest>, as defined in Section 3.3.4."
That would seem to
say that a LogoutRequest with NameID "bar" would not "strongly match" the
SSO Assertion with NameID "foo", and so the SP must return a LogoutResponse
with failure status.
Thoughts?
Ari
Kermaier
Oracle
Corporation
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]