OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] SLO behavior with MNI

> 1. SP and IdP perform browser SSO for a given principal, with IdP issuing an
> Assertion for NameID value "foo".
> 2. IdP initiates MNI to change NameID value to "bar".
> 3. IdP sends LogoutRequest to SP.
> Which NameID value should be in the LogoutRequest?

Formally bar, but the SP is supposed to handle either for "a while" per the notes in the spec.

> That would seem to say that a LogoutRequest with NameID "bar" would not
> "strongly match" the SSO Assertion with NameID "foo", and so the SP must
> return a LogoutResponse with failure status.

Yes, but the MNI message is specifically telling you that bar is the new foo. They match by virtue of you editing the original NameID record in place, or in effect anyway.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]