OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] session in AuthnStatement


 

> the SAML2.0 core specification says that the SessionIndex 
> attribute is used for the session between a principal and the 
> authenticating authority. What is the intention of this 
> attribute? Can it be used to find the authenticating authority?

the intention of this attribute is to be able to differentiate
between different authenticcation sessions of the principal 
at the same relying party.   

So a user could be authenticated to the same IdP and visit the
same SP from multiple computers.  Each SSO session would be 
independent, so when the user logged out from their SSO session
on computer 1, the IdP could send single-logout messages to 
the SP without impacting the user's session on computer 2.


> And is it possible to save the session between a subject and 
> a service provider? Perhaps as an extension in the AuthnContext?

I'm not sure what you're asking here.  The SSO session index is
only used to differentiate between simultaneous independent 
SSO sessions with the IdP and not to track any other information
about the session.

Conor


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]