„SLODemo” változatai közötti eltérés

Innen: KIFÜ Wiki
a (SP4: Backdoor, Please!)
(SAML2)
69. sor: 69. sor:
 
== Expected results ==
 
== Expected results ==
 
=== SAML2 ===
 
=== SAML2 ===
Single Logout profile is for SAML2 only. Therefore SP6 (Neanderthalensis) and SP7 (Ancient Greek) will always fail.
+
Single Logout profile is for SAML2 only. Therefore SP6 (Neanderthalensis) will always fail. Note that SP7 (Ancient Greek) actually ''speaks'' SAML2 although it initiates SSO with Shibboleth protocol. Therefore you cannot '''initiate''' SLO from SP7 but you can participate in SLO.
 +
 
 +
SP5 (Old Slowhand) will always fail unless the Logout request is initiated by it.
  
The same applies for SP5 (Old Slowhand) if the Logout request is not initiated by it.
 
 
=== Front-channel, back-channel ===
 
=== Front-channel, back-channel ===
 
The IdP can fallback to back-channel, if the logout is front-channel and the SP software does support only back-channel bindings. '''Not the other way''', because front-channel bindings need the information held in browser cookies.  
 
The IdP can fallback to back-channel, if the logout is front-channel and the SP software does support only back-channel bindings. '''Not the other way''', because front-channel bindings need the information held in browser cookies.  

A lap 2009. augusztus 12., 15:28-kori változata

Preparing


Service Providers

SP1: (Not-so) Old Release

SP software Shibboleth 2.1 (Debian)
Front channel logout supported
Back channel logout not working
Notes Back-channel logout returns 'Partial logout' due to a bug

SP2: Bright Shining Star

SP software Shibboleth 2.2+ source build
Front channel logout supported
Back channel logout supported
Notes Both front- and back-channel logout should work properly

SP3: The Pretender

SP software SimpleSAMLphp SAML2 SP
Front channel logout supported
Back channel logout not supported
Notes SimpleSAMLphp does not support back-channel bindings, therefore the metadata does not contain it

SP4: Use The Backdoor, Please!

SP software Shibboleth 2.2+ source build
Front channel logout not supported
Back channel logout supported
Notes The metadata of this SP does not contain front-channel bindings for logout


SP5: Old Slowhand

SP software Shibboleth 2.1 (Debian)
Front channel logout not working (times out)
Back channel logout not working (times out)
Notes Metadata points to a fake logout service that is not answering in time

SP6: Shibboleth Neanderthalensis

SP software Shib 1.3 (IRL: Shibboleth 2.1)
Front channel logout not supported
Back channel logout not supported
Notes The metadata of this SP does not contain any logout services, just like a normal Shib1.3 SP

SP7: Good Guy Speaking Ancient Greek

SP software Shibboleth 2.2+ (Debian)
Front channel logout supported
Back channel logout supported
Notes This is a 2.x SP but it uses Shibboleth 1.3 SSO protocol. I'd expected a logout failure because of the Shibboleth-specific NameID format, however it turned out working.


SP8: Blitzkrieg

SP software Shibboleth 2.2+ (source)
Front channel logout not working (if timed out)
Back channel logout not working (if timed out)
Notes This is a special SP that has a very short session lifetime (30 sec). If you hit the logout button within 30 sec, it should work but it should fail afterwards, because the principal is no longer known to the SP.


Expected results

SAML2

Single Logout profile is for SAML2 only. Therefore SP6 (Neanderthalensis) will always fail. Note that SP7 (Ancient Greek) actually speaks SAML2 although it initiates SSO with Shibboleth protocol. Therefore you cannot initiate SLO from SP7 but you can participate in SLO.

SP5 (Old Slowhand) will always fail unless the Logout request is initiated by it.

Front-channel, back-channel

The IdP can fallback to back-channel, if the logout is front-channel and the SP software does support only back-channel bindings. Not the other way, because front-channel bindings need the information held in browser cookies.

Unexpected results