[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML Rev Idea: General Session Index
At the risk of opening a can of worms, I wanted to toss out an idea for inclusion in the SAML rev. Currently, an attribute query, as defined, is stateless (i.e., it's not correlated with any session on the IdP). This is in contrast to the logout request which carries within it a session identifier (i.e. <SessionIndex>). In the Shibboleth IdP we ran in to the general case where a user establishes multiple sessions (e.g., by logging in from multiple browsers), with the same user name identifier. Then when an SP performs an attribute query the IdP has no way to choose which session is the "right" one. The specific issue we had was that an IdP was pushing environmental information (user-agent IP address in this case) in to the session and the two sessions were opened on different networks (user had a laptop logged in once at work and then walked home [it was in Europe, they walk there] and logged in again). So, my question is, do we want to add an optional SessionIndex to the <AttributeQuery> or, more generally to the SubjectQueryAbstractType or RequestAbstractType, in order to allow for, but not mandate, session correlation? I believe doing this allows: - us to deal with the case I mentioned above - the IdP to implement additional security checks (e.g., an IdP could check that an artifact issues under session A was being resolved under that sessions) - front-channel NameID management messages (something that also just came up with Shib) to be correlated to a session -- Chad La Joie www.itumi.biz trusted identities, delivered
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]