Shibboleth Developers

[Adam Lantos <>]

On Mon, Dec 7, 2009 at 9:16 PM, Scott Cantor 
<>
 wrote:
> Scott Cantor wrote on 2009-12-07:
>> A clean FF on Windows works, so I need to go back and do some additional
>
> False alarm. What works is FF with third party cookies, and that happens to 
> be the default. It's nothing to do with any plugins, I used a fresh install 
> with none added, but did have to change the privacy settings to break it.
>
> You all can have a debate about whether that matters or not, I suppose, but 
> all I was after is factual data, not answering the larger questions.
>
> Another interesting point is that Safari on Windows has different behavior 
> than FF in that it will *send* pre-existing third party cookies to a site 
> but not change them. So you can get logout to work because it will send the 
> SP session cookie that's set outside the frame, but the SP can't actually 
> clear the cookie during the logout.
>
> I will put a page together somewhere that starts to document this stuff in 
> a matrix because it's a mess.

That'd be really useful!
If the SP doesn't receive the session cookie, shouldn't it try to look
it up by the NameID/SessionIndex in the LogoutRequest, as it does on
the back-channel path?

> Adam, I appreciate you tweaking the demo, it filled in some gaps for me.
>
> -- Scott
>
>
>