I see three options. 1. SLO only support TGTs and associated STs. 2. SLO applies to TGTs their associated STs and to PGTs and their associated STs. 3. SLO applies to TGTs their associated STs, as well as their associated PGTs and their STs, etc.
3 should be somewhat trivial if 2 is in place. Personally I don't really care which of 1-3 is chosen, as long as it is defined properly and documented. Still, I think one needs to be a bit careful about the expectations on SLO. If I was to really depend on SLO for state management I would also expect some kind of guarantee of delivery, e.g., that the server retried the SLO request for at least some time until receiving 200 or 404. Mvh, /Fredrik 31 jan 2013 kl. 09:29 skrev jleleu <[email protected]> : > Hi, > > It's not an easy topic. But I see SLO in a different way : I would expect > that the CAS logout destroys all sessions from all SSO participants > (including proxied services). > > Though, whatever the choice/implementation, it requires to be clearly > documented. > > Best regards, > Jérôme > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
