565
szerkesztés
Módosítások
→Important notes
== Important notes on third party cookies ==In some browsers, the IFrame-driven front-channel logout doesn't work due to the browser blocking [http://en.wikipedia.org/wiki/HTTP_cookie#Third-party_cookies third party cookies]. As of today, no browser is blocking these cookies by default, but with higher privacy settings they definitely do it. Every cookie which is sent to a foreign domain is considered to be third party, so the session cookie of the SP software in a foreign domain is third party cookie when it is sent in an IFrame. By blocking these cookies, the SP doesn't receive the session cookie and thus it could stop processing the logout request at this point. === Why service providers might need the session cookie ===Most of the services do not need the session cookie itself, they only need the NameIdentifier, which is carried by the logout request, so back-channel logout requests are enough for them. But there might be service providers which do not implement back-channel bindings (eg. SimpleSAMLphp), or need front-channel application notification. === Why not fully back-channel? ===SAML profiles specification (section 4.4.3.1) clearly states that front-channel should be preferred when sending the logoutrequest to the session authority (IdP). If the user interface is generated by the IdP, it could inform the user about the whole logout process, and each SP response. If the SP would use back-channel logoutrequest, the IdP's response would only contain minimal information (ie. success or failure), and this is not desirable. Also, the IdP would need to execute back-channel requests in parallel and synchronize them with the originating request, so this would make the processing code much more complex. === Our proposed solution ===Our proposal is to support back-channel endpoints at the service provider side, and - if the application does not require the use of front-channel notifications - remove all front-channel logout endpoints from the metadata. If the application must rely on the session cookie, and the SP supports both back- and front channels, then the back-channel endpoint should be removed. By these mutually exclusive endpoint sets, the SP can clearly advise the IdP which binding it should use when contanting this SP.
== Features ==
