[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: Request for clarification of WSFED issue i008 - Sign-out notification and priority (on behalf of the WSFED TC)
From:
Paul.Lesov@wellsfargo.com [mailto:Paul.Lesov@wellsfargo.com] Firstly
I would like to clarify on the specification documentation
(ws-federation-1.2.-spec-ed-01.doc). http://www.oasis-open.org/apps/org/workgroup/wsfed/download.php/24422/ws-federation-1.2-spec-ed-01.doc According
to the depiction III.9.3 of Sign-Out the IP redirects a browser to clean-up
at one service provider and then once complete redirects a browser to
clean-up at the next service provider . This diagram
depicts sequential, not parallel sign-out, even though section 4.2 states
that parallel approach SHOULD be used for sign-out. The same depiction
also indicates some sort of reply being sent from service providers indicating
clean-up complete, while in section 4 of the document (first paragraph) there is
a statement about sign-out being a one-way message without any
reply. Now to
expand on ISSUE i008 There
were really three points there: - (1)
Identity provider should be certain (as much as possible with stateless protocol
framework) that sign-out requests sent to service providers were processed
successfully.
In the proposed architecture sign-out is a one-way message. Therefore it
is not possible to provide a confirm/reply that session is terminated. I would
argue that sign-out should have a reply indicating successful session
termination. Some parameter should specify to the requestor that
the cleanup is completed at the service
provider. - (2)
Priority of sign-out was the second point
I will withdraw priority request from the issue, once I get confirmation on
my clarification above that parallel sign-out is being used not sequential
sign-out. If parallel sign-out is used prioritizing does not add any
value. - (3)
Informing the user about completed sign-out.
Once Identity Provider receives success sign-out replies from service
providers (1) IP should be able to indicate to a passive
requestor that sign-out was completed. If some service providers did
not return a success reply to a sign-out request a user should be presented
with that information as well. I realize that this may be beyond the score
of the specification but it is not possible without (1).
From: Greg Carpenter
[mailto:gregcarp@microsoft.com] Hi
Paul, As a Secretary and
Issues List Editor of the WSFED TC I’m contacting you to convey the TCs request
for clarification regarding issue i008 (http://docs.oasis-open.org/wsfed/issues/Issues.xml#i008).
In order for the TC to adequately understand and process this issue we need more
information, preferably in the form of a specific proposal documenting what is
needed to implement the features you mention in the
issue. Best
Regards,
-greg |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]