I don't see what multi-auth has to do with logging out. If the user clicks "log out" at RP2, and the user logged into RP2 with OP1, then OP1 assists the user in logging out of both RP1 and RP2 since OP1 sent a positive assertion to those RPs. The detail that RP1 required positive assertions from OP1 <i>and</i> OP2 to log the user in seems inconsequential. As soon as RP1 gets the "log out" assertion from the OP, it only has OP2 with a standing positive assertion left, and therefore logs the user out. OP1 isn't ever aware that OP2 existed.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Fri, Oct 2, 2009 at 9:06 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I don't understand how you can use an OP to log into an RP without the OP being aware that it's sending that assertion.<br>
</blockquote>
<br></div>
Sure. But if you're using OP1 *and* OP2 to login at RP3 (say, via MultiAuth), then the user should be able to keep OP1 and OP2 unaware of each other; so, when RP4 (which only knows the user through OP1) tells the user to logout from all of OP1's sessions, it can only send the user to OP1; will OP1 also send the user to all the RP's it knows, just in case any of them is currently using MultiAuth with the user?<br>
<br>
-Shade<br>
</blockquote></div><br></div>