OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] the value of AuthnInstant

Consumption of AuthnInstant is a matter of policy at the SP, yes, but
an IdP that produces an incorrect value is at least non-interoperable
and may be broken depending on your point of view.  An SP that
partially bases its access control decision on AuthnInstant may make
the wrong decision if AuthnInstant is incorrect.

For instance, consider an IdP that routinely sets IssueInstant and
AuthnInstant to the same value (NOW).  Is this implementation broken?
Well, if no SP in the deployment inspects AuthnInstant asserted by
this IdP, then one could claim, I suppose, the answer is no, but just
because no SP happens to consume AuthnInstant, doesn't make it
correct.  In the very least, this IdP is non-interoperable.


On Feb 11, 2008 12:11 PM, Scott Cantor <cantor.2@osu.edu> wrote:
> > Hmm, does this qualify as errata then?
> No, I think it's implementation (or at least deployment) dependent. There's
> never been a rule that said how AuthnInstant was meant to be used.
> Authentication is usually in the eye of the beholder.
> At a minimum, it certainly wouldn't apply globally, but on a profile basis.
> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]