SOAP SLO handler: what would it be used for?

Wessel, Keith kwessel at
Wed Apr 16 14:39:42 EDT 2014

Thanks, Tom and Scott. Looks like we can get rid of five, not just four, endpoints.

BTW, Tom, your page looks like good advice. Might want to further quantify your statement about not supporting SOAP endpoints, though, by making ECP the exception. I'm sure the researchers on this list would want to encourage any new IDP to support ECP out of the gate.


-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Tom Scavo
Sent: Wednesday, April 16, 2014 12:48 PM
To: Shib Users
Subject: Re: SOAP SLO handler: what would it be used for?

On Wed, Apr 16, 2014 at 1:07 PM, Wessel, Keith <kwessel at> wrote:
> We’ve decided, since nobody’s using it, to get rid of back-channel 
> handler support on our IDP.

That's good news. Your metadata (and your configuration) will be greatly simplified.

> I encourage others to consider this route.

Indeed. For new IdPs, it's mostly a no-brainer. Here are some preliminary thoughts on this issue:

Those recommendations have not yet been vetted, however, so take them with a grain of salt. If anyone has comments or suggestions, I'd like to hear them.

> I’m planning to remove the SAML1 and 2 attribute query and artifact 
> resolution endpoints from published metadata, local metadata, and 
> handler.xml.
> Looks like /idp/profile/SAML2/SOAP/SLO also uses back channel 
> communications… and we can turn that off, too. I’m just curious, 
> though, what would be a use case for a SOAP SLO call? 
> Non-interactively terminating a user’s session?

An inbound SOAP-based SLO endpoint doesn't seem to be very useful.
However, outbound SOAP-based SLO is what's being implemented in v3, if I recall. If that's right, this means SPs will expose a SOAP endpoint for this purpose.

> I assume that the SOAP SLO call uses a similar security model to 
> artifact resolution and attribute queries and thus should be turned 
> off if we’re turning off the others. Is that correct?

AFAICT, yes.

> And finally, does ECP not use this security model? Looks like we have 
> that running on 443, so I assume it’s not using a cert from metadata. 
> Is that right?

Someone else needs to answer definitively, but yes, I think you're right, ECP is the exception.

To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list