OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] the value of AuthnInstant

Hmm, does this qualify as errata then?

Tom

On Feb 11, 2008 11:23 AM, Ari Kermaier <ari.kermaier@oracle.com> wrote:
> I would guess that either most IdPs get it right or most SPs don't check. Also, implementers probably wonder (as I guess you did) what the difference is between Assertion IssueInstant and AuthnStatement AuthnInstant.
>
> ::Ari
>
> > -----Original Message-----
> > From: Tom Scavo [mailto:trscavo@gmail.com]
> > Sent: Thursday, February 07, 2008 8:23 PM
> > To: Eve Maler
> > Cc: SAML Developers
> > Subject: Re: [saml-dev] the value of AuthnInstant
> >
> >
>
> > Thanks, Eve.  I wasn't sure.
> >
> > Thinking out loud, I wonder how many implementations get this right?
> >
> > Tom
> >
> > On Feb 7, 2008 7:48 PM, Eve Maler <Eve.Maler@sun.com> wrote:
> > > It's t1, isn't it?  One assertion, issued at time t2, and another,
> > > issued at time t4, will both indicate that the user authenticated at
> > > time t1 -- assuming that authn session is still good, of
> > course (e.g.,
> > > re-authn isn't being forced).
> > >
> > >         Eve
> > >
> > >
> > > On Feb 7, 2008, at 4:04 PM, Tom Scavo wrote:
> > >
> > > > Suppose a user presents an AuthnRequest to an IdP at time
> > t0.  Since
> > > > the user has no security context initially, the IdP challenges the
> > > > user to authenticate, which the user does successfully
> > (at time t1).
> > > > So the IdP issues an assertion (at time t2), which the
> > user transmits
> > > > to the SP via the browser.
> > > >
> > > > At some later time t3, the user presents another
> > AuthnRequest to the
> > > > IdP.  Since the user already has a security context, the
> > IdP does not
> > > > challenge the user to authenticate, but rather issues an
> > assertion (at
> > > > time t4), which again the user transmits to the SP.
> > > >
> > > > Question: What is the value of AuthnInstant in the second
> > assertion?
> > > >
> > > > Thanks,
> > > > Tom
> > > >
> > > >
> > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> > > > For additional commands, e-mail:
> > saml-dev-help@lists.oasis-open.org
> > > >
> > >
> > > Eve Maler                                         +1 425 947 4522
> > > Principal Engineer                            eve.maler @ sun.com
> > > Business Alliances group                    Sun Microsystems, Inc.
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
> >
> >
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]