OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: one time use saml artifact (BETTER FORMATTING! FEWER TYPOS!)



> >>[Hal]
>  For example, what happens when the browser
> >>goes to a second
> >>site? Presumably they are redirected to the AP, but how does
> >>the AP know
> >>they are the "same" subject and not force them to
> >>re-Authenticate?
>
> [Prateek]
> The assumption is that the AP has some form of security engine
> in place that can track its own authenticated users. Typically,
> this takes place thru a session which is represented in some
> form in an encrypted cookie and some additional state
> information at the AP. Certainly, this is a strong assumption
> but one which does seem to be met by a large class of security
> systems.
>
> When the user returns to the AP, the AP examines the security
> context of the user and determines if the user session is still
> valid.

Right.  See my comments along this line in:

http://middleware.internet2.edu/shibboleth/docs/draft-morgan-shibboleth-websso-00.txt

and

http://middleware.internet2.edu/shibboleth/docs/draft-morgan-shibboleth-session-00.txt

Essentially this punts SSO to be an issue between the end-entity and the
authentication service, just as initial sign-on is.  This is certainly the
Shibboleth design assumption.

 - RL "Bob"




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC