OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Skipping authnreq


> > In this scenario, the nameidentifier is a transient session token.
> 
> I claim transient identifiers only make sense in traditional browser
> flows, so your scenario implies a previous authentication at the IdP.

That doesn't follow. They work in any scenario where the IdP is the one
producing the identifier, or is in communication with the entity that is. Or
of course they work as a placeholder subject when you don't really care what
the identifier is, and only care about the attributes.
 
> I'm not sure what you mean by "skip the authentication request."  How
> did you obtain the transient identifier in the first place?

That I agree with, however. The binding had to be established somewhere.

> > I assume that if the nameidentifier is attached to an
> > authentication session that is expired the attribute request would
> > result in an error response.
> 
> If not, the IdP would not be doing its job. ;-)

Agree also.

> Are you referring to XML attributes NotBefore and NotOnOrAfter?  These
> apply to the assertion, not the identifier used in the assertion. 
> This is the basic reason why transient identifiers are practically
> worthless outside of traditional browser flows (which seems to be what
> you're talking about).

That doesn't follow either, but is a very common mistake. If that were true,
no identifier would ever work because the lifetime of identifiers is never
explicitly communicated in SAML today. All transients say is that storing
them is a bad idea because you're not likely to get the same on back the
next time the same user interacts with you. There's nothing else unusual
about them.

Putting it another way, if you think that just having a DN means anything
with respect to whether you can query for attributes using it, you're wrong.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]