[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] NotOnOrAfter in SubjectConfirmationData and Conditions and SessionNotOnOrAfter
Thank you Scott,
Things are getting a bit more clear to me. I would just like to confirm that in the context of the WebSSO profile I've understood it correctly.
* The SubjectConfirmationData/@NotOnOrAfter attribute is the time window during which the assertion can be tied to the subject. If the SP establishes a session, it must be done within this time frame (Web SSO Profile 4.1.4.3), but the session can continue long after that time.
* The Conditions/@NotOnOrAfter attribute is the longest possibility to trust the information in the assertion. During this time it is possible to forward the Assertion to another service to act on behalf of that (such as an SP calling a backend SOAP service).
* The SessionNotOnOrAfter sets an absolute limit to the SP session.
Is that correct?
One thing is still unclear to me though, and it is the relation between Conditions/@NotOnOrAfter and SessionNotOnOrAfter. In core (section 2.4.1.2) it is clearly stated that the time frame in SubjectConfirmationData should fall within the time frame in the Conditions. But I can't find anything related to SessionNotOnOrAfter. Could SessionNotOnOrAfter be a later point in time than Conditions/@NotOnOrAfter, as long as the SP doesn't trust the attributes after the Conditions/@NotOnOrAfter has passed. That could be the case if the establishment of an SP session solely depends on the Subject NameId.
Best Regards,
Anders
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]