saml-dev message

Subject: RE: [saml-dev] the value of AuthnInstant

From: "Ari Kermaier" <ari.kermaier@oracle.com>
To: "Scott Cantor" <cantor.2@osu.edu>, "Cahill, Conor P"<conor.p.cahill@intel.com>, "Tom Scavo" <trscavo@gmail.com>
Date: Wed, 13 Feb 2008 10:48:16 -0500


> 
> A bearer token is a form of authentication, and a cookie is a 
> bearer token.
> But if an IdP decides to implement itself without retaining 
> enough state to
> remember the original time, it's not compliant?
> 

I would say that if an IdP does not retain enough state to produce an AuthnStatement that is internally consistent (i.e., all the content describes the same authentication event) then, in fact, it's not compliant. Thus, if an IdP does not preserve the time that the user presented his password, it cannot claim Password AC after the first AuthnStatement, and must henceforth use ExistingSession as the AC.

::Ari

Follow-Ups:
- RE: [saml-dev] the value of AuthnInstant
  - From: "Scott Cantor" <cantor.2@osu.edu>

References:
- RE: [saml-dev] the value of AuthnInstant
  - From: "Scott Cantor" <cantor.2@osu.edu>