Shibboleth Developers

[Adam Lantos <>]

On Mon, Dec 7, 2009 at 10:35 PM, Scott Cantor 
<>
 wrote:
> Adam Lantos wrote on 2009-12-07:
>>> I will put a page together somewhere that starts to document this stuff in
>> a matrix because it's a mess.
>>
>> That'd be really useful!
>
> It's here:
> https://spaces.internet2.edu/display/SHIB2/BrowserBehaviorMatrix
>
> I haven't added much yet, but I'll add all the Windows versions I have once 
> I complete the more detailed tests.
>
>> If the SP doesn't receive the session cookie, shouldn't it try to look
>> it up by the NameID/SessionIndex in the LogoutRequest, as it does on
>> the back-channel path?
>
> The standard doesn't say, but my feeling is that if you can deploy SLO 
> without the session cookie, you should do it backchannel anyway. My code 
> assumes that a front channel attempt is only valid if the session it 
> retrieves matches the LogoutRequest.

Right, that makes sense if the sessions didn't match, but the logout
would also invalidate the cookie itself, so I don't see any point in
aborting when no session was found (with the default logoutrequest
signing requirement, at least). Of course front-channel app
notification would be broken in this case.

Well, at least the IdP side should have a prefer-back-channel switch
to control this behavior :)


> From the point of view of the SP itself, front-channel isn't actually 
> needed, and I could make that the default, but I believe that few apps will 
> ever support that. Apps just don't implement that kind of session indexing.
>
> -- Scott
>
>
>