RE: [security-services] Protocol extension for role change

["Cantor, Scott" <cantor.2@osu.edu>]

> A number of agencies does have separate accounts for roles. While re-
> authentication is transparent for Kerberos backends, this is not good for 2FA.

Depends on the frequency and on the second factor method.

> And the usability issue remains: without SLO users end up with different
> contexts across applications after logging in with a different user in a
> particular application.

I don't understand why a user would be confused by a role switch in one application not affecting others. Seems like that would be what I'd expect.

> I don't think that it the key obstacles of SLO apply here. The UI-problems
> from SLO are not relevant, because the activation of a the change is an
> application function.

If SLO doesn't work, then the application never gets notified at all.
 
I still don't understand what the logout step is being used to accomplish here, and why you can't just make this about each individual app and the IdP in isolation. If the app wants to have the IdP give it a different set of attributes, that just sounds like a fresh round trip via AuthnRequest to me.

-- Scott