[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] the value of AuthnInstant
Consumption of AuthnInstant is a matter of policy at the SP, yes, but an IdP that produces an incorrect value is at least non-interoperable and may be broken depending on your point of view. An SP that partially bases its access control decision on AuthnInstant may make the wrong decision if AuthnInstant is incorrect. For instance, consider an IdP that routinely sets IssueInstant and AuthnInstant to the same value (NOW). Is this implementation broken? Well, if no SP in the deployment inspects AuthnInstant asserted by this IdP, then one could claim, I suppose, the answer is no, but just because no SP happens to consume AuthnInstant, doesn't make it correct. In the very least, this IdP is non-interoperable. Tom On Feb 11, 2008 12:11 PM, Scott Cantor <cantor.2@osu.edu> wrote: > > Hmm, does this qualify as errata then? > > No, I think it's implementation (or at least deployment) dependent. There's > never been a rule that said how AuthnInstant was meant to be used. > Authentication is usually in the eye of the beholder. > > At a minimum, it certainly wouldn't apply globally, but on a profile basis. > > -- Scott > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]