[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] safe value for AuthenticationInstant?
On 12/12/05, Philpott, Robert <rphilpott@rsasecurity.com> wrote: > > If the user had previously authenticated at the IdP > due to an earlier interaction with some other SP, then sending an > assertion to another SP based on that earlier authentication but using > the current time for authn instant is IMO a BAD practice. Agreed. > For example, an SP may want to use the authn instant to determine > freshness and if outside the bounds of its policy it might send the user > back to the IdP with the ForceAuthn flag set. No such thing in SAML 1.1, I'm afraid. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]