[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Skipping authnreq
In a very distributed client, the nameidentifier is shipped around between entities. At some point one entity have to make an authorization decision and needs to know: 1) whether the nameidentifier is valid (authentication is successfull) 2) retrieve some attributes. In this scenario, the nameidentifier is a transient session token. My question is; is it OK to skip the authentication request, and use the attribute request for both validating the handle and retrieve attributes. I assume that if the nameidentifier is attached to an authentication session that is expired the attribute request would result in an error response. We are implementing both sides, so we can make it work, but we should not do it this way if it is "illegal" in the SAML spec. I have a feeling that it may be required to retrieve, parse and understand the Condition element.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]