Shibboleth Developers

["Scott Cantor" <>]

Adam Lantos wrote on 2009-12-07:
> Right, that makes sense if the sessions didn't match, but the logout
> would also invalidate the cookie itself, so I don't see any point in
> aborting when no session was found (with the default logoutrequest
> signing requirement, at least). Of course front-channel app
> notification would be broken in this case.

Which is the whole (only?) point in using the front channel. Front channel 
means "the user is present" and back channel means "the user is not present". 
I wanted there to be a clear distinction between them.

> Well, at least the IdP side should have a prefer-back-channel switch
> to control this behavior :)

That would violate the profile. Front channel MUST be favored. I think that 
applies in both directions because of the proxying that can go on.

The SP can and should make sure it exposes the endpoints it needs to. If it 
doesn't need front-channel, it shouldn't support it. That's part of the 
profile assumption, and is one of the reasons I implemented it this way.
 
-- Scott