SLO amongst sessions established through different SSO protocols
From Project Concordia
varzeld
Contents |
Use case description
Based on a single authentication at his IDP, Joe is able to SSO to multiple SP/RPs, the IDP using in theory a different SSO protocol for each RP. After some time, Joe, while at RP1, decides to log-out, and indicates to the RP that he deisres all other sessions be terminated at well.
So, whats the IDP to do? If a sesssion was established through a protocol that supports SLO? what if not?
1. Does the RP know (i.e. have a way) how to tell the IdP the user wants a global logout 2. Does the IdP know (i.e. have a way) how to tell the RPs the user is logged out
SAML says
'the session authority SHOULD send a <LogoutRequest> message to each session participant to which it provided assertions containing authentication statements under its current session with the principal'
Could it be argued that this processing rule transcends protocols? and should force a SAML IDP (session authority) to send equivalent messages to any and all RPs, irrespective of which protocol was used to establish a session there?
Workflows
Additional information and related work
George post - Identity Meta-System SSO
Related events
Contacts and contributors
Questions
- DavidRecordon: Is it a design decision within SAML that a user could initiate SLO from any RP versus only at their IDP?
- ScottCantor: It's a design decision to address that option in the standard. What users can or cannot do is as always up to deployers.
- EricNorman: it seems to me that a user should be able to initiate logout actions from their identity selector/agent.
