[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: RE: [saml-dev] session in AuthnStatement
> The second question was about whether there is a possibility > to store the session index between the subject and the > *service provider* instead of between the subject and the > identitiy provider. But I think I won't need that any more. Ok. FYI... in some implementations of a SAML SP, the SP may store *all* of its local user session information within cookies in the browser (an internal, out-of-scope for SAML implemeentation detail). In such cases the information stored in the cookie would need to retain the session index. In such a situation, when the SP received an SLO operation, it would need to maintain the session index for the lifetime of the original assertion's session validity period (which ends at the AuthnStatement's SessionNotOnOrAfter timestamp). Should the assertion be presented, or the browser with the cookie outlined above return to the SP, the SP should terminate the session. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]