FW: Issue Group 3 changes

[Darren Platt <dplatt@securant.com>]

> -----Original Message-----
> From: Pilz, Gilbert [mailto:gpilz@jamcracker.com]
> Sent: Tuesday, April 03, 2001 5:35 PM
> To: Darren Platt
> Subject: Issue Group 3 changes
> 
> 
> Darren,
> 
> Attached are my changes to Issue Group 3. I wasn't sure if you 
> wanted me to
> circulate this to the entire Use-Case list or what.
> 
> 
> 
ISSUE:[UC-3-03:Logout] Should SAML support transfer of information
about application-level logouts (e.g., a principal intentionally
ending a session) from the application to the Session Authority ?

Candidate Requirement:

	  [CR-3-3-Logout] SAML shall support a message format to
          indicate the end of an application-level session due to
          logout by the principal.

Note that this requirement is implied by Scenario 1-3 (the second
scenario 1-3 in straw man 3 - oops). This issue seeks to clarify the
document by making the requirement explicit.

Possible Resolutions:

   1. Add this requirement to SAML.
   2. Do not add this requirement to SAML.



ISSUE:[UC-3-05:SessionTimeout] For managing a SAML User Sessions, it
may be useful to have a way to indicate that the SAML-level session is
no longer valid. The logout requirement would invalidate a session
based on user input. This requirement, for timeout, would invalidate
the SAML-level session based on other factors, such as when the user
has not used any of the SAML-level sessions constituent application-
level sessions for more than a set amount of time.

Candidate requirement:

	  [CR-3-5-Timeout] SAML shall support a message format for
	  timeout of a SAML-level session. Here, "timeout" is defined
          as the ending of a SAML-level session by a security system
          not based on user input. For example, if the user has not used
          any of the application-level sub-sessions for a set amount of
          time, the session may be considered "timed out."

Note that this requirement is implied by Scenario 1-3, figure 6,
specifically the last message labeled 'optionally delete/revoke session'.
This issue seeks to clarify the document by making the requirement
explicit.

Possible Resolutions:

   1. Add this requirement to SAML.
   2. Do not add this requirement and/or use cases.



ISSUE:[UC-3-06:DestinationLogout] Should logging out of an individual
application-level session be supported? Advantage: allows application
Web sites control over their local domain consistent with the model
most widely implemented on the web. Disadvantage: potentially more
interactions between the application and the Session Authority.

In this scenario a Session Authority is managing a SAML-level session
that includes an application-level session maintained by the destination
Web site. The user invokes a logout event on the destination Web site,
which invalidates the application-level session. The destination
Web site passes this information back to the Session Authority.

[DestinationLogout.png]

Figure X: Destination Logout

Steps:

1. User initiates a logout event on the destination Web site.

2. Destination Web site invalidates the application-level session and
   notifies the Session Authority.

Candidate Requirement:

	  [CR-3-6-DestinationLogout] The SAML model for session
	  management shall support logout initiated by the user at 
	  a destination site, that is, a site other than the one where
	  the session was initiated.

Possible Resolutions:

   1. Add this scenario and requirement to SAML.
   2. Do not add this scenario or requirement.



ISSUE:[UC-3-8:DestinationTimeout] Having the Session Authority
determine the timeout of a session is covered under [UC-3-5].
This issue covers the manner and extent to which systems
participating in that session can initiate and control the timeout
of their own sessions.

In this scenario a Session Authority is managing a SAML-level session
that includes an application-level session maintained by the destination
Web site. The user's application-level session times out on the
destination Web site, and the destination consults with the Session
Authority to determine if the application-level session should be
terminated.

[DestinationTimeout.png]

Figure X: Destination Timeout.

Steps:

1. Based on an internal timer, the destination Web site determines
   that the user's application-level session has expired.

2. The destination Web site requests information on the session from
   the Session Authority to determine if the SAML-level session has
   other, active application-level sessions elsewhere.
   
3. Based on domain-specific policy the destination Web site either:

   a.) leaves the application-level session untouched (thus deferring
       all control to the Session Authority)
   b.) terminates the application-level session (thus rejecting any
       control by the Session Authority) and sends a message to the
       Session Authority informing the Session Authority that this
       application-level session is no longer active
   c.) extends the application-level session by some pre-determined
       "grace period" (compromise between 'a' and 'b')

Candidate requirement:

	  [CR-3-8-DestinationTimeout] SAML shall support destination
	  system timeout.

Possible Resolutions:

   1. Add this scenario and requirement to SAML.
   2. Do not add this scenario or requirement.