- Should logout be required for either IdPs, SPs, or both?
- If it is, is SAML logout the appropriate profile to require (might have implications for impl profile)?
- Assuming SAML logout:
Which logout endpoint bindings should be considered mandatory for SPs? For IdPs?
What requirements can we make around synchronous vs. asynchronous SAML logout?
Since we’ll have SPs that don’t support logout and don’t comply with the profile, should we recommend some IdP action or display to deal with those?
Should we recommend the support of full federated logout to all capable SPs attached to a user’s session? How much of the IdP experience should be dictated? Different answer for saml2int vs. community perhaps?
Should logout requests/responses be required to be signed?
- Should the NameID in logout requests be encrypted (i.e. this turns into the XML Encryption conversation, so likely defer this)?
- True or False? SPs that issue SAML V2.0 Single Logout requests MUST ensure that their metadata includes one or more SAML V2.0 endpoints for receiving responses. Failure to do so will result in runtime failures for users. (See: SLO Endpoints) (This is true for Shibboleth - SC.)
Note from Jim Basney:
I agree with ScottK that logout is not a priority. Neither the NCSA IdP nor the CILogon SP supports SAML SingleLogoutService.
My only opinion about it is that entities should only publish SingleLogoutService endpoints in metadata if they're sure they support it properly.
For example, UnitedID's SingleLogoutService endpoint has been broken for a long time. If even the experts at UnitedID can't get it right,
I think it's best for InCommon to continue to discourage use of SingleLogoutService.