Re: [security-services] Protocol extension for role change

["Cantor, Scott" <cantor.2@osu.edu>]

On 11/9/16, 2:04 AM, "Rainer Hoerbe" <rainer@hoerbe.at> wrote:

> I fail to see the show stopper. IFIAK the main problem areas with front channel SLO are UX (the user
> understanding the scope of federated apps), logout status reporting and unreachable SPs (unless using
> iFrames/Javascript), and application session handling. These do not apply in this use case. What am I
> missing?

I think you have to use iFrames, and third party cookies break that, so....it doesn't work. I don't understand what doesn't apply. If you don't need to be able to identify the session at the application, I don't know how the process would work.

Obviously it's *possible* to implement, you can do storing of the logout messages and then try and match them up later if the cookie eventually shows up, but that's very rarely done. I shouldn't have said "impossible", but it is generally just not implemented well enough to work.

> That could turn out to be a protocol change for scores of applications.

Applications don't support logout either.

-- Scott