Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] Frames/cookies question

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] Frames/cookies question


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [Shib-Dev] Frames/cookies question
  • Date: Mon, 7 Dec 2009 17:47:21 -0500
  • Organization: The Ohio State University

Adam Lantos wrote on 2009-12-07:
> Okay, but the IdP can not decide whether the browser blocks those
> cookies or not. If the SP could just fall back and use the information
> in the LogoutRequest, blocked cookies were no longer an issue

Acually, it is probably possible to detect that kind of thing in some cases
ahead of time so you can drop a local cookie indicating whether the support
is available.

But my underlying purpose was to demonstrate that frames may not be an
appropriate solution here. I didn't want to rathole on it, but it just
doesn't work when people use perfectly reasonable privacy settings. I
suspected this when I started this testing, and now I know I was right.

What has never been clear to me about SLO is whether one can architect a
generic solution that allows people to plug different UIs in front of it.
It's one thing to say "use the frames solution if you're ok breaking when
X/Y/Z is used", but it's another to say "and if you need a different UI, the
whole SLO framework changes and you'll have to write all new code".

Secondly, blocked cookies *are* an issue if the SP needs the user's session.
If you don't need the user to be present, then you don't need to do front
channel logout and you don't have a problem to begin with.

> (maybe front-channel notification should be extended to convey session index
> to the application, so in theory it could invalidate user session like
> in the back-channel case, but without the SOAP requirement - restful
> notifications, anyone?).

I'm not going to start putting NameIDs onto URLs, not only because it's ugly,
but also for privacy reasons.

> I agree that in the blocked cookie case, normal, "per-spec" logout
> would be impossible, but maybe we can make it work somehow in most of
> the cases.

"Most" just isn't that interesting to me. I guess this is where the pro- and
con-logout arguments tend to end up.

> On second thought, if frontchannel binding gave us SAML error
> response, the IdP could try back-channel. That's something I can do
> about this issue.

You can, I suppose, but such an SP would essentially have incorrect metadata
and that's what you're coding around.

-- Scott





Archive powered by MHonArc 2.6.16.

Top of Page