OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SLO behavior with MNI

I have a question regarding correct behavior in the following scenario:
1. SP and IdP perform browser SSO for a given principal, with IdP issuing an Assertion for NameID value "foo".
2. IdP initiates MNI to change NameID value to "bar".
3. IdP sends LogoutRequest to SP.
Which NameID value should be in the LogoutRequest?
The MNI processing rules defined in [SAMLCore] state [lines 2484-2487] that:
"If the identity provider requests that its identifier for the principal be changed by including a <NewID> (or
<NewEncryptedID>) element, the service provider MUST use the element's content as the
<saml:NameID> element content when subsequently communicating with the identity provider regarding
this principal."
That would seem to imply that the LogoutRequest should use "bar" as the NameID value.
However, the SLO processing rules [lines 2598-2601] state that:
"The session participant MUST apply the logout request message to any assertion that meets the following
conditions, even if the assertion arrives after the logout request:
• The subject of the assertion strongly matches the <saml:BaseID>, <saml:NameID>, or
<saml:EncryptedID> element in the <LogoutRequest>, as defined in Section 3.3.4."
That would seem to say that a LogoutRequest with NameID "bar" would not "strongly match" the SSO Assertion with NameID "foo", and so the SP must return a LogoutResponse with failure status.
Ari Kermaier
Oracle Corporation

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]