OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Sessions and SSO.


Title: Sessions and SSO.

Hi thinking about the SSO case (not necessarily browser),
I have the following questions to post :

Scenario:

- The User logs on SPA .
- SPA recognize that the request to access that service is not authenticated (not having any session)

- SPA send an Auth req to IDP which again recognize (by not SAML mean) that is the first time that user is trying to access the IDP.

- IDP challenge the user.
- IDP work out who the user is and what the policy for creating the Assertion/Subject/SessionIndex are and send the Assertion back to SPA.

Now what happen if user goes on SPB ?
Since this is the first time the sequence should kick off again.

I'm wondering though, now the IDP again has to know that the user has already been authenticated in a way.
It looks like again that by not - SAML mean(ex: cookie)  the IDP realize that this is not the first time and also if Auth context match the one from the previous request

the user then doesn't need to be challenge again.

In few words SAML is not, actually, really, facilitating SSO. SSO is actually facilitated by some other mean (session management between user and IDP).

Is this correct ? Am I missing something ?

Sorry I'm just trying to understand the scope and capabilities of SAML. 

Giuseppe.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]