OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] safe value for AuthenticationInstant?

Our product sets to the AuthenticationInstant to the actual time that
the user authenticated at the IdP using the method reflected in the
assertion sent back to the SP.

This time would be very important to many SP applications that have
strict policies on the freshness of the user's authentication.  If the
IdP forces the user to authenticate on every visit to the IdP, then
using the current time, I suppose is accurate.  But that's not how most
IdP's should work.  If the user had previously authenticated at the IdP
due to an earlier interaction with some other SP, then sending an
assertion to another SP based on that earlier authentication but using
the current time for authn instant is IMO a BAD practice.

For example, an SP may want to use the authn instant to determine
freshness and if outside the bounds of its policy it might send the user
back to the IdP with the ForceAuthn flag set.

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

> -----Original Message-----
> From: william [mailto:oasis.saml@javafreelancer.net]
> Sent: Monday, December 12, 2005 12:17 PM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] safe value for AuthenticationInstant?
> i've been perusing the code of an open source implementation of
> saml 1.1's web sso profile to try and get a grasp on how saml's
> being implemented by other developers out there. here is a comment
> that appears in the code at the point where
> <AuthenticationStatement ... AuthenticationInstant="..." />  is
> set:
>      "// No one seems to actually care about authn instant so
>       // we'll just set it to [new java.util.Date()...]
>       // until there are some other requirements..."
> that struck me as a curious comment! i would think that the time a
> subject was authenticated is hugely important in most cases (to
> guard against replay, for example). how have developers in this
> forum used AuthenticationInstant in their projects?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]