OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Skipping authnreq


On 3/15/06, Andreas Åkre Solberg <Andreas.Solberg@uninett.no> wrote:
>
> In this scenario, the nameidentifier is a transient session token.

I claim transient identifiers only make sense in traditional browser
flows, so your scenario implies a previous authentication at the IdP. 
How do you obtain a transient identifier, if not from the
authentication step?

> My question is; is it OK to skip the authentication request, and use
> the attribute request for both validating the handle and retrieve
> attributes.

I'm not sure what you mean by "skip the authentication request."  How
did you obtain the transient identifier in the first place?

> I assume that if the nameidentifier is attached to an
> authentication session that is expired the attribute request would
> result in an error response.

If not, the IdP would not be doing its job. ;-)

> We are implementing both sides, so we can make it work, but we should
> not do it this way if it is "illegal" in the SAML spec.

You don't say which SAML spec, but for the most part SAML has little
to say about attribute queries.

> I have a
> feeling that it may be required to retrieve, parse and understand the
> Condition element.

Are you referring to XML attributes NotBefore and NotOnOrAfter?  These
apply to the assertion, not the identifier used in the assertion. 
This is the basic reason why transient identifiers are practically
worthless outside of traditional browser flows (which seems to be what
you're talking about).

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]