[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] the value of AuthnInstant
I just find this errata interesting: I know you guys haven't been paying attention to what it says in here in the spec, but we really mean business this time. You should do what the spec says in this area not ignore it. Yes, I'm being a bit of a pain here, but that about sums up what an errata would end up saying. The spec does call out for specific behavior and because some parties have ignored it in the past, we're going to add an errata that says you really need to do what the spec says. Conor > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Wednesday, February 13, 2008 11:19 AM > To: ari.kermaier@oracle.com; Cahill, Conor P; 'Tom Scavo' > Cc: 'SAML Developers' > Subject: RE: [saml-dev] the value of AuthnInstant > > > I would say that if an IdP does not retain enough state to produce an > > AuthnStatement that is internally consistent (i.e., all the content > > describes the same authentication event) then, in fact, it's not > compliant. > > Thus, if an IdP does not preserve the time that the user presented his > > password, it cannot claim Password AC after the first AuthnStatement, > and > > must henceforth use ExistingSession as the AC. > > That's fine. I'm simply pointing out (again) that SAML 1.1 had no such > Authn > Method defined in the spec and implementations did behave in the way you > think is non-compliant. In other words, the meaning of the timestamp was > deployment-specific. > > Since there's rarely been any mention of that ExistingSession AC class, it > struck me as odd that one could argue SAML 2.0 changed this constraint > without changing any of the relevant language in the spec to at least note > that, hey, now we can do this because we have an Authn Method (class) that > makes the difference clear. > > So as Tom says, I think this is an errata. > > -- Scott > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]