shibboleth-dev - Re: [Shib-Dev] Steps towards SLO
Subject: Shibboleth Developers
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] Steps towards SLO
- Date: Wed, 15 Jul 2009 17:11:19 +0200
- Organization: SWITCH
Kristof BAJNOK wrote:
2. Treating NameID as a normal attribute is an issue, because you have to resolve all the attributes to the user to get the NameIDs for different SPs. Adam suggests storing the NameID (and SessionIndex) into the user's session.
This will always be true. Putting in the Session, which I do agree is a good idea, doesn't get around that, its just a means of caching the value.
3. Because back-channel requests may be blocked for a longer period of time, we need to ensure all logout code is reentrant.
There are a number of issues related to this, reentrant code is only one of them.
4. For front-channel bindings we need to store logout contexts in StorageService. This context would store all SPs and corresponding NameID/SessionIndex values and the global status of the logout process as well. It needs to be looked up by each issued logout request SAML message ID, because LogoutResponse does not carry any other information, just the InResponseTo. We also need to set timeouts for the logout process.
You can do all of that and the profile handlers have access to the storage service.
PS: I think there is one serious concern about SLO which is not mentioned in [[SLOIssues]]. The SP's session can well outlive the IdP session (or wherever the user's nameIDs are stored). This results in logging out from fewer SPs than the user is actually logged in -- despite it is a Success. On the other hand the IdP cannot store the association forever. If the SP session could be limited to be shorter than the IdP session, that would be sufficient, but AFAIK there is no limit in the SP session lifetime provided that there is regular user activity.
No, if the IdP tells the SP to logout and the SP doesn't destroy the session then the SP needs to report back that the logout failed. If the SP doesn't perform according to the spec there isn't anything we can do about it. If the session is already destroyed I think the SP is simply supposed to respond with "Success".
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Steps towards SLO, Kristof BAJNOK, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Chad La Joie, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Adam Lantos, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Kristof BAJNOK, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/16/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/16/2009
- Re: [Shib-Dev] Steps towards SLO, Peter Schober, 07/16/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Kristof BAJNOK, 07/15/2009
- RE: [Shib-Dev] Steps towards SLO, Scott Cantor, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Adam Lantos, 07/15/2009
- Re: [Shib-Dev] Steps towards SLO, Chad La Joie, 07/15/2009
Archive powered by MHonArc 2.6.16.