SOAP SLO handler: what would it be used for?

Tom Scavo trscavo at
Wed Apr 16 13:48:06 EDT 2014

On Wed, Apr 16, 2014 at 1:07 PM, Wessel, Keith <kwessel at> wrote:
> We’ve decided, since nobody’s using it, to get rid of back-channel handler
> support on our IDP.

That's good news. Your metadata (and your configuration) will be
greatly simplified.

> I encourage others to consider this route.

Indeed. For new IdPs, it's mostly a no-brainer. Here are some
preliminary thoughts on this issue:

Those recommendations have not yet been vetted, however, so take them
with a grain of salt. If anyone has comments or suggestions, I'd like
to hear them.

> I’m planning to remove the SAML1 and 2 attribute query and artifact
> resolution endpoints from published metadata, local metadata, and
> handler.xml.
> Looks like /idp/profile/SAML2/SOAP/SLO also uses back channel
> communications… and we can turn that off, too. I’m just curious, though,
> what would be a use case for a SOAP SLO call? Non-interactively terminating
> a user’s session?

An inbound SOAP-based SLO endpoint doesn't seem to be very useful.
However, outbound SOAP-based SLO is what's being implemented in v3, if
I recall. If that's right, this means SPs will expose a SOAP endpoint
for this purpose.

> I assume that the SOAP SLO call uses a similar security model to artifact
> resolution and attribute queries and thus should be turned off if we’re
> turning off the others. Is that correct?

AFAICT, yes.

> And finally, does ECP not use this security model? Looks like we have that
> running on 443, so I assume it’s not using a cert from metadata. Is that
> right?

Someone else needs to answer definitively, but yes, I think you're
right, ECP is the exception.


More information about the users mailing list