RE: [saml-dev] the value of AuthnInstant

["Scott Cantor" <cantor.2@osu.edu>]

> Contrived, yes.  I presume the certificate was presented to the IdP, so
> I would count any time the *IdP* walks through an authentication sequence
> as being an authentication event that would/could impact the
> AuthnInstant.

If authentication doesn't imply the user is involved, then that's no
different than use of a cookie (relative strength aside). And in fact the AC
spec includes a context class for "existing session". What's it for?

> The case that Tom brought up did not walk through a new authentication
> sequence at the IdP, but rather used the existing "session" with the user.
> It's pretty clear that AuthnInstant shouldn't be updated
> in that case and should have the value from the original authentication
event.

A bearer token is a form of authentication, and a cookie is a bearer token.
But if an IdP decides to implement itself without retaining enough state to
remember the original time, it's not compliant?

> Core says that AuthnInstant is the time at which the *authentication*
> took place, not the time when the assertion was issued.  So, I would say
that
> this does violate the spirit of the setting.

Not unless we define authentication differently than the glossary does (I
just read it to verify that).

> I think it is pretty clear as it is, so I don't think it needs a change,
> but I disagree with this reasoning.   Knowing when something is illegal
> and being able to point to specific statements in the spec make it much
> easier for the SP, when they are doing their homework, to get the right
> expected behavior.

That hasn't been my experience , but either way I think the spec is not at
all clear, which is why I don't think it requires this behavior. I think
it's intentionally vague precisely because of this issue, dating back to
SAML 1.

(In fact, I brought it up on any number of occasions back then and was told
that it was up to the implementer.)

-- Scott