[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Time-out issue for first contact scenarios
In Passport and Shibboleth-like scenarios where a user accesses a protected RP-resource, and usually have to authenticate to his/her AA using an arbitrary amount of time (interrupted by a phone call, finding out the new password etc), a time-out may occur at the RP's side. And when the AA's auth* is sent away through the user's browser, it may get rejected. As SAML seems to often require "stateful" servers (=usually meaning short time-outs), this could be a real PITA for users. I wonder how SAML is handling this. In Purple, the AA can (with high precision) see that the RP's request has expired, and [transparently for the user], in the background between the AA and RP "restart" the auth* process. Or actually revert to a slightly modified AA=>RP contact model. As this is a "pre-session" situation, SAML's proposed Session- handling stuff would IMO not apply. Any thoughts on this? Regards Anders Rundgren X-OBI
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC