-
1. Re: Global Logout "up to 5 participants"?
anil.saldhana Oct 14, 2013 9:56 PM (in response to ssilvert)1 of 1 people found this helpfulThe participant in a non technical world would be SAML Service Provider from the technical world. Any web app that uses an IDP would be a participant.
-
2. Re: Global Logout "up to 5 participants"?
ssilvert Oct 15, 2013 7:52 AM (in response to anil.saldhana)Anil Saldhana wrote:
The participant in a non technical world would be SAML Service Provider from the technical world. Any web app that uses an IDP would be a participant.
Got it. So (participant == SAML SP)
What problems will I run into if I have global logout using 10 participants with one IDP?
I'm looking for some insight into how global logout works.
Stan
-
3. Re: Global Logout "up to 5 participants"?
anil.saldhana Oct 15, 2013 9:29 AM (in response to ssilvert)Stan Silvert wrote:
Anil Saldhana wrote:
The participant in a non technical world would be SAML Service Provider from the technical world. Any web app that uses an IDP would be a participant.
Got it. So (participant == SAML SP)
What problems will I run into if I have global logout using 10 participants with one IDP?
I'm looking for some insight into how global logout works.
Stan
There is always the browser involved. Assume the user has accessed 10 apps and all of them have used the IDP for authentication. Now the user initiates a SAML global logout by clicking a button/link, then there is a workflow happening where the IDP will perform a log out at each of the SP before it chucks the IDP session. Remember the SP may have established its own session for the user. The logout request from IDP gives an opportunity for the SP to logout the user and reply success/fail to the IDP via logoutresponse. Once the logout has been successful at all SP, the IDP will send a successful response back to the initiating SP and the SP can log the user out. GLO is a feature that makes me quite nervous (even though it is quite handy). Some open source projects such as Shibboleth do not support GLO.
Given the complexity of the GLO workflow and different implementations of SP, it is not a 100% guaranteed process. So it is better to keep the number of participants low. I don't think 10 will be an issue. But I don't have the perfect number. As low as you can go.
It is also possible that one or more SP may not be supporting global logout. Then the workflow is not clearly defined by the specs.
-
4. Re: Global Logout "up to 5 participants"?
ssilvert Oct 15, 2013 9:43 AM (in response to anil.saldhana)Thanks Anil. That's very helpful.
Stan