OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Skipping authnreq

In a very distributed client, the nameidentifier is shipped around  
between entities. At some point one entity have to make an  
authorization decision and needs to know:
1) whether the nameidentifier is valid (authentication is successfull)
2) retrieve some attributes.

In this scenario, the nameidentifier is a transient session token.

My question is; is it OK to skip the authentication request, and use  
the attribute request for both validating the handle and retrieve  
attributes. I assume that if the nameidentifier is attached to an  
authentication session that is expired the attribute request would  
result in an error response.

We are implementing both sides, so we can make it work, but we should  
not do it this way if it is "illegal" in the SAML spec. I have a  
feeling that it may be required to retrieve, parse and understand the  
Condition element.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]