OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: RE: [saml-dev] session in AuthnStatement

 

> The second question was about whether there is a possibility 
> to store the session index between the subject and the 
> *service provider* instead of between the subject and the 
> identitiy provider. But I think I won't need that any more.

Ok.  FYI... in some implementations of a SAML SP, the SP
may store *all* of its local user session information within 
cookies in the browser (an internal, out-of-scope for SAML
implemeentation detail).  In such cases the information
stored in the cookie would need to retain the session
index.

In such a situation, when the SP received an SLO operation,
it would need to maintain the session index for the lifetime
of the original assertion's session validity period (which
ends at the AuthnStatement's SessionNotOnOrAfter timestamp).
Should the assertion be presented, or the browser with
the cookie outlined above return to the SP, the SP should
terminate the session.

Conor

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]