[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Use Case and Requirements Working Group Issue: User Sessions
This is the third in a series of issues referred to the TC by the Use Case
and Requirements Working Group. By now you should have all received the
messages concerning "Pass-thru Authentication" from Hal Lockhart and "AuthZ
Decisions" by Darren Platt. To quote Darren, "The purpose of these writeups
is to level-set everyone on the current state of the debate so that we don't
have to recap during the concall, but rather move forward. A goal for the
writeup is to structure the issues such that some decisions can be made that
we can build upon."
----------------------------------------------------------------------
The following is a synopsis of the current state of the debate on the issue
of "User Sessions".
The glossary
(http://www.oasis-open.org/committees/security/docs/draft-sstc-glossary-00.h
tml) defines User Sessions as "A 'container' for the authentication and
attribute assertions that apply to a given system entity through the
principals incarnated by that entity. The purpose is to maintain the
relationship of the assertions to the initiating entity."
The February voting on Issue Group 3 (Sessions) saw approval for the
inclusion of the concepts of "user sessions" and "local logouts" but no
approval for the inclusion of the concepts of "session timeouts" or "session
logouts". The March F2F re-confirmed a general consensus on the need for
"User Sessions" (including the successful motion to place "User Sessions"
into its own use case) but little in the way of specific requirements. The
overall question is; what is the nature and purpose of SAML User Sessions ?
One of the motivating ideas behind the original notion of User Sessions is
to provide a user that is working with multiple, cross-domain, distributed
applications the experience of a single, coherent system. Once authenticated
with an authentication authority the user should be able to launch an
arbitrary number of applications without the need to re-authenticate (with
the understanding that each of these applications has been configured to
trust the assertions of the authentication authority). It should be possible
to configure each of these applications such that none of these applications
will "time out" (i.e. terminate the users application-level session due to a
pre-defined period of inactivity) as long as the user is "currently active"
in any one of the other applications. Furthermore it should be possible for
the user to easily logout from the entire distributed system by directing
the "Session Authority" to terminate each of the application-level sessions.
These notions of "distributed time out" and "distributed log out" are
referenced in the Phillip Hallam-Baker's Strawman Architecture document
(http://www.oasis-open.org/committees/security/docs/draft-sstc-core-vmodel-0
1.pdf), the AuthXML specification
(http://www.oasis-open.org/committees/security/docs/draft-authxml-v2.pdf),
and the ITML Session Management specification
(http://www.oasis-open.org/committees/security/docs/draft-orchard-itml-sessi
on-00.pdf).
----------------------------------------------------------------------
The following is a list of assertions and questions; assertions are things
we feel pretty sure about and questions are areas in which we need input.
Question 1: Does the SSTC view the proposed functionality ("ability to
provide a coherent view of multiple, cross-domain, distributed
applications") as within the scope of the SAML specification ?
Some possible answers are:
a.) Yes, this functionality is within the scope of SAML.
b.) No, this functionality is not within the scope of SAML.
Question 2: Most existing applications have some notion of a "session" that
contains the state shared between the user and the application. Applications
that employ authentication and authorization usually bind the authentication
and attribute assertions of the initiating user to this session. In the case
where SAML is used by applications that maintain sessions, what is the
relationship between SAML User Sessions and these application-level
sessions?
Some possible answers are:
a.) SAML User Sessions should be able to act as higher-level,
"uber-sessions" over the individual application-level sessions.
b.) Application-level sessions can be (re)implemented using SAML User
Sessions.
c.) SAML User Sessions are orthogonal to application-level sessions.
Answer (a) is consistent with the original notion of User Sessions as
introduced by the AuthXML and ITML Session Management specifications
Answer (b) seems somewhat impractical. In the same way that SAML avoids
defining new authentication mechanisms or crypto protocols, it shouldn't
define new mechanisms for re-implementing existing session management
solutions.
Answer (c) begs the question "what is the nature and purpose of SAML User
Sessions"?
If you selected answers 1a and 2a then this leads to . .
Assertion 1: The concept of User Sessions requires the existence of a
"Session Authority" who's job it is to create and maintain the relationship
of the authentication and attribute assertions to their initiating entity.
Examples of the software entities that might serve this function are:
Web Server/Application Server hosted on Web Services integration server
Enterprise Intranet sign-on web/app server
Enterprise Integration Portal web/app server
Question 3: If you accept answer (a) to question 2 the next issue is "to
what extent should it be possible to control the behavior of an
application-level session based on the state of the SAML User Session?"
This breaks down into three sub-questions:
Question 3.1: Should application-level sessions be able to defer their
normal timeout behavior based on the fact that the SAML User Session is
still active (i.e. one or more of the other application-level sessions that
make up the SAML User Sessions is still active)?
What we are really talking about here is SAMLs ability to support a certain
type of application behavior. One could argue that it is irrelevant whether
User Sessions support deferred timeouts since, as long as the applications
in question support single sign-on, it is easy enough to transparently
re-authenticate the user with an application that has timed out. The
question is whether the application will be able to preserve the state of
the users interaction across the timeout and re-authentication operations?
Most applications do not provide this capability. Therefore, in order to
support the desired functionality ("ability to provide a coherent view of
multiple, cross-domain, distributed applications"), it is necessary to defer
the applications timeout behavior to ensure that the users state will not be
lost.
Question 3.2: Should SAML User Sessions be capable of terminating their
component application-level sessions based on a "logout request" from the
session initiator ?
Support for this position seems to be implied by section 5.4 Phillip
Hallam-Baker's Strawman Architecture document, the AuthXML and ITML Session
Management specifications.
Question 3.3: Should SAML User sessions support a "time-in" type of status
request that allows an application-level session to tell the Session
Authority that the user is still interacting within the context of that
application-level session?
This is proposed by Prateek Mishra and appears to be the type of message
intended in section 3.2.8 of the AuthXML specification.
--
<<Gilbert Pilz.vcf>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC