Purpose of throwing exception for logout status = Requester

[explunit]

What is the purpose of throwing exception during single logout when the IDP returns status = requester? Would it be useful to have a compatibility setting to ignore this and continue with logout flow? https://github.com/KentorIT/authservices/blob/v0.19.0/Kentor.AuthServices/WebSSO/LogOutCommand.cs#L205-L210

I've found that some IDP throw this error simply based on the amount of elapsed time since login, so in that instance interrupting the logout flow for this status serves no purpose.

[AndersAbel]

Did the Idp send any SessionNotOnOrAfter info in the initial assertion?

[explunit]

No, looks like this: <saml:AuthnStatement AuthnInstant="2017-01-24T19:40:19Z" SessionIndex="bigvaluehere">

[AndersAbel]

That makes it a bit tricky. For how long should the SP assume that the Idp knows of the session?

What about making a status code related notification that can be used both for logout and for sign in? It could have a default implementation that throws, but which can be overriden. A bit like how the GetLogoutResponseState notification works that has a default implementation.

[explunit]

Thanks, I'll pursue the notification approach.

Regarding the SessionNotOnOrAfter, if I'm reading the code correctly it doesn't currently consider that data before initiating the SLO. Perhaps that was the other enhancement approach you would suggest if I could get the IDP to send the property?

[AndersAbel]

SessionNotOnOrAfter is considered indirectly. The lifetime of the session cookie is set based on it, so if it is used, the local session will automatically be terminated at SessionNotOnOrAfter - hence there will be no local session to issue a federated logout for.