[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] safe value for AuthenticationInstant?
Our product sets to the AuthenticationInstant to the actual time that the user authenticated at the IdP using the method reflected in the assertion sent back to the SP. This time would be very important to many SP applications that have strict policies on the freshness of the user's authentication. If the IdP forces the user to authenticate on every visit to the IdP, then using the current time, I suppose is accurate. But that's not how most IdP's should work. If the user had previously authenticated at the IdP due to an earlier interaction with some other SP, then sending an assertion to another SP based on that earlier authentication but using the current time for authn instant is IMO a BAD practice. For example, an SP may want to use the authn instant to determine freshness and if outside the bounds of its policy it might send the user back to the IdP with the ForceAuthn flag set. Rob Philpott Senior Consulting Engineer RSA Security Inc. Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 Email: rphilpott@rsasecurity.com I-name: =Rob.Philpott > -----Original Message----- > From: william [mailto:oasis.saml@javafreelancer.net] > Sent: Monday, December 12, 2005 12:17 PM > To: saml-dev@lists.oasis-open.org > Subject: [saml-dev] safe value for AuthenticationInstant? > > i've been perusing the code of an open source implementation of > saml 1.1's web sso profile to try and get a grasp on how saml's > being implemented by other developers out there. here is a comment > that appears in the code at the point where > <AuthenticationStatement ... AuthenticationInstant="..." /> is > set: > > "// No one seems to actually care about authn instant so > // we'll just set it to [new java.util.Date()...] > // until there are some other requirements..." > > that struck me as a curious comment! i would think that the time a > subject was authenticated is hugely important in most cases (to > guard against replay, for example). how have developers in this > forum used AuthenticationInstant in their projects? >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]