Shibboleth Developers

["Scott Cantor" <>]

Adam Lantos wrote on 2009-12-07:
> I understand that this is mostly a theoretical problem, but how much
> support request is considered good enough per 50000 logouts? :)

At 200,000 logins per day, it doesn't take more than 1 out of 50000 to be 
completely impractical.
 
> Both sides should be as robust as they could be. If you remove
> front-channel bindings from the SP, your SP wouldn't be interoperable
> with frontchannel-only IdPs and lose exponentially more users than the
> cookie-problem would ever mean. Even if it's against the specs, it seems
> that preferring back-channel is the best thing the IdP can do if it
> wants to deal with cookie problems. But this is just my two cents...

What is the use case for an IdP not supporting back channel from its end to 
notify SPs? The initial contact SP->IdP can be (should be?) front-channel, of 
course.

The reason that front-channel exists is for SPs (and IdPs of course) that 
require the session cookie. We can't use a default UI that doesn't guarantee 
that and get a good outcome.

-- Scott