1 260
szerkesztés
Módosítások
→Our proposed solution
SAML profiles specification (section 4.4.3.1) clearly states that front-channel should be preferred when sending the logoutrequest to the session authority (IdP). If the user interface is generated by the IdP, it could inform the user about the whole logout process, and each SP response. If the SP would use back-channel logoutrequest, the IdP's response would only contain minimal information (ie. success or failure), and this is not desirable. Also, the IdP would need to execute back-channel requests in parallel and synchronize them with the originating request, so this would make the processing code much more complex.
=== Our proposed Technical solution ===
Our proposal is to prefer back-channel endpoints at the service provider side, unless your application needs to be notified via front-channel. For example,
* if your application behind your SP needs the session cookie with the notification, use only front-channel bindings in the SP metadata,
By these mutually exclusive endpoint sets, the SP can clearly advise the IdP which binding it should use when contanting this SP. Thus on the IdP side, both implementations need to be available.
=== Non-technical solution ===
Another option would be to add a new requirement for your end users. You can claim that banning third-party cookies is unsupported (because it breaks SLO), just like disabling all cookies (which breaks SSO). Convincing your users (and the Shibboleth developers to accept this solution) might be dubious, though.
== Features ==
