Although there was a vote on the Aug 3rd call to make SOAP-based SLO
support optional in the conformance document (line 132  5th line of
table from the bottom), I just wanted to point out again that there is a
fairly important security issue with respect to this decision (as I also
noted on the call in ).
If an IdP discovers that a user's credentials have been stolen or
otherwise compromised, but the user is not present at the IdPs site,
thus preventing the IdP from re-directing the user to individual SPs for
logout, then without any method to contact the SP (ie. a SOAP SLO
interface) the IdP will be unable to communicate that the IdP can no
longer vouch for the supplied user's credentials.
I will note that several potential adopters of SAML/Liberty-based
technology questioned Liberty members about this issue before we started
to recommend that SPs support the SOAP interface for this very reason.
So, my preferred course of action would be to require the SP-complete
(ie. SP, not SP-lite) to implement the IdP-initiated SOAP SLO interface
(change the OPTIONAL to a MUST in the SP column for IdP-initiated
If, however, the TC is against that course of action, I would highly
recommend that we add text somewhere in the specification that
recommends that SPs implement a SOAP SLO interface, and explains the
issue. Again, I would note that this was a point of issue with several
potential adopters of this technology.