[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] SAML 2.0 profile and NotBefore
Mike Jones wrote on 2009-12-14: > In working on the 1.1 profile, this question came up about the 2.0 profile. > It currently says "The <saml:SubjectConfirmationData> element, if present, > MUST NOT contain a NotBefore or Recipient XML attribute." Why is the use of > NotBefore prohibited? Just for consistency with the other known bearer assertion profile (SAML SSO). > I'll note that its use is required in the self-issued token profile. > I'm thinking that, for that reason, I should at least allow its use in > 1.1 tokens. 1.1 doesn't have this field, it only has the Conditions attribute (which 2.0 also has). They're different in meaning. The Conditions attribute covers assertion validity overall and the confirmation data attribute is about limiting the ability to confirm as a bearer. With 1.1, bearer assertions tend to be short lived (in the Conditions sense), which limits the ability to repurpose them downstream (e.g., web services). 2.0 assertion lifetime doesn't have to be (and should generally not be) tied to confirmation wibndow. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]