FW: Request for clarification of WSFED issue i008 - Sign-out notification and priority (on behalf of the WSFED TC)

[<Paul.Lesov@wellsfargo.com>]

 

From: Paul.Lesov@wellsfargo.com [mailto:Paul.Lesov@wellsfargo.com]
Sent: Thursday, July 05, 2007 12:05 PM
To: Greg Carpenter
Cc: mikemci@us.ibm.com; Chris Kaler; abbieb@nortel.com; mkaiser@us.ibm.com
Subject: RE: Request for clarification of WSFED issue i008 - Sign-out notification and priority (on behalf of the WSFED TC)

 

 

Firstly I would like to clarify on the specification documentation (ws-federation-1.2.-spec-ed-01.doc). http://www.oasis-open.org/apps/org/workgroup/wsfed/download.php/24422/ws-federation-1.2-spec-ed-01.doc

 

According to the depiction III.9.3 of Sign-Out the IP redirects a browser to clean-up at one service provider and then once complete redirects a browser to clean-up at the next service provider . This diagram depicts sequential, not parallel sign-out, even though section 4.2 states that parallel approach SHOULD be used for sign-out.  The same depiction also indicates some sort of reply being sent from service providers indicating clean-up complete, while in section 4 of the document (first paragraph) there is a statement about sign-out being a one-way message without any reply.

 

Now to expand on ISSUE i008

 

There were really three points there:

 

- (1) Identity provider should be certain (as much as possible with stateless protocol framework)  that sign-out requests sent to service providers were processed successfully.

   

    In the proposed architecture  sign-out is a one-way message. Therefore it is not possible to provide a confirm/reply that session is terminated. I would argue that sign-out should have a reply indicating successful session termination. Some parameter should specify to the requestor that the cleanup is completed at the service provider.

 

- (2) Priority of sign-out was the second point

     

    I will withdraw priority request from the issue, once I get confirmation on my clarification above that parallel sign-out is being used not sequential sign-out. If parallel sign-out is used prioritizing does not add any value.

 

- (3) Informing the user about completed sign-out.

    

    Once Identity Provider receives success sign-out replies from service providers (1) IP should be able to indicate to a passive requestor that sign-out was completed. If some service providers did not return a success reply to a sign-out request a user should be presented with that information as well. I realize that this may be beyond the score of the specification but it is not possible without (1).   

 

 

---

From: Greg Carpenter [mailto:gregcarp@microsoft.com]
Sent: Thursday, June 28, 2007 11:11 AM
To: Lesov, Paul
Cc: Michael McIntosh; Chris Kaler; Abbie Barbir; Mike Kaiser
Subject: Request for clarification of WSFED issue i008 - Sign-out notification and priority (on behalf of the WSFED TC)

Hi Paul,

 

As a Secretary and Issues List Editor of the WSFED TC I’m contacting you to convey the TCs request for clarification regarding issue i008 (http://docs.oasis-open.org/wsfed/issues/Issues.xml#i008).  In order for the TC to adequately understand and process this issue we need more information, preferably in the form of a specific proposal documenting what is needed to  implement the features you mention in the issue.

 

Best Regards,

 

     -greg