Synchronous SAML SLO

Martin Haase Martin.Haase at DAASI.de
Thu Dec 8 11:49:22 EST 2016 

Hi Scott, hi Peter,

thanks for your reply, highly appreciated as always!

Do you think a Feature Request for an IdP option to not propagate? Or to
propagate to the visited subset of some fixed set of SPs?

Regards
Martin


Am 08.12.2016 um 16:19 schrieb Cantor, Scott:
>> If there was only one SP, couldn't the IdP return control to the
>> initiating SP?
> That's just inconsistent for users, and it's an edge case anyway, there is almost always more than one.
>
>> Or actually, wouldn't a feature idp.logout.dontpropagate
>> make sense? I can imagine many SPs that want to terminate their and the
>> IdP's session, but cannot speak for other SPs.
> I don't think it's the SP's business what happens to sessions with other SPs, and there is no way to signal that anyway.
>
> There are many things people want the logout feature to do differently and some of them may or may not eventually get done and others are entirely up to the deployer to modify the templates to do, but those are IdP changes.
>
> But an option not to propagate is not up to the SP, it's up to the deployer of the IdP, as is where the user ends up. Not least because there is no way to control any of this in the standard. If there's no propagation, then a full frame response is a possibility and if and when we implement such a thing, I'm sure that could be one of the options. But an SP could never count on it happening because the SP doesn't control the IdP, so it serves no real purpose.
>
> -- Scott
>

-- 
Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                
Germany                    

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: martin.haase at daasi.de
web:   www.daasi.de

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2247 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20161208/ec087432/attachment.p7s>

More information about the users mailing list