SLO observations

[Cantor, Scott]

> In my opinion, it would be useful if Shibboleth could render a 'You have
> logged out from SP1' kind of message above the 'Would you like to attempt
> to log out of all services ....?' question.

That I think we should be able to do if you file a RFE, but I don't really imagine that SAML logout will be the common way this gets initiated anyway. I think you proabably could code it into the template now, it's just adding information derived from the context tree.

> By checking the log, it looks to me that Shibboleth SLO flow destroys the IdP
> session before the user clicks Yes/No. Is this on purpose?

Yes.
 
> From my point of view, it would be better to terminate the IdP session
> depending on the user's Yes/No answer. The current implementation might
> be confusing from a user point of view, and also for SP operators.

I think you are hopelessly optimistic if you think any of this is workable or will ever not be confusing, but since I believe all the answers are bad, I don't really favor any particular one over another.

What you're asking for here would be a breaking change in behavior, so the configuration would get more complex to accomodate it, determining what Yes/No actually means.

It also won't get looked at if issues aren't filed.

-- Scott