[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Skipping authnreq
On 3/15/06, Andreas Åkre Solberg <Andreas.Solberg@uninett.no> wrote: > > In this scenario, the nameidentifier is a transient session token. I claim transient identifiers only make sense in traditional browser flows, so your scenario implies a previous authentication at the IdP. How do you obtain a transient identifier, if not from the authentication step? > My question is; is it OK to skip the authentication request, and use > the attribute request for both validating the handle and retrieve > attributes. I'm not sure what you mean by "skip the authentication request." How did you obtain the transient identifier in the first place? > I assume that if the nameidentifier is attached to an > authentication session that is expired the attribute request would > result in an error response. If not, the IdP would not be doing its job. ;-) > We are implementing both sides, so we can make it work, but we should > not do it this way if it is "illegal" in the SAML spec. You don't say which SAML spec, but for the most part SAML has little to say about attribute queries. > I have a > feeling that it may be required to retrieve, parse and understand the > Condition element. Are you referring to XML attributes NotBefore and NotOnOrAfter? These apply to the assertion, not the identifier used in the assertion. This is the basic reason why transient identifiers are practically worthless outside of traditional browser flows (which seems to be what you're talking about). Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]