Shibboleth Developers

["Scott Cantor" <>]

Adam Lantos wrote on 2009-12-07:
>> I will put a page together somewhere that starts to document this stuff in
> a matrix because it's a mess.
> 
> That'd be really useful!

It's here:
https://spaces.internet2.edu/display/SHIB2/BrowserBehaviorMatrix

I haven't added much yet, but I'll add all the Windows versions I have once I 
complete the more detailed tests.

> If the SP doesn't receive the session cookie, shouldn't it try to look
> it up by the NameID/SessionIndex in the LogoutRequest, as it does on
> the back-channel path?

The standard doesn't say, but my feeling is that if you can deploy SLO 
without the session cookie, you should do it backchannel anyway. My code 
assumes that a front channel attempt is only valid if the session it 
retrieves matches the LogoutRequest.

From the point of view of the SP itself, front-channel isn't actually needed, 
and I could make that the default, but I believe that few apps will ever 
support that. Apps just don't implement that kind of session indexing.

-- Scott