OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] safe value for AuthenticationInstant?

On 12/12/05, Philpott, Robert <rphilpott@rsasecurity.com> wrote:
>
> If the user had previously authenticated at the IdP
> due to an earlier interaction with some other SP, then sending an
> assertion to another SP based on that earlier authentication but using
> the current time for authn instant is IMO a BAD practice.

Agreed.

> For example, an SP may want to use the authn instant to determine
> freshness and if outside the bounds of its policy it might send the user
> back to the IdP with the ForceAuthn flag set.

No such thing in SAML 1.1, I'm afraid.

Tom

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]