[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Authentication SAML
Filipa Moura wrote on 2009-09-09: > I'm using SAML for SSO and use AuthNRequest from my SP. In the response I > get an assertion signed by the IdP, containing the details about the user's > authentication. But this assertion has <Conditions> that limit the time it > is valid for "NotBefore" and "NotOnOrAfter". Suppose this assertion expires > but the user is still logged in at my SP, however I need a new assertion > just like the one I got when the user was authenticated at the IdP but for a > new time, I mean, so that it hasn't yet expired. The lifetime of the assertion has nothing to do with the session at the SP. The assertion's validity after the initial login only applies to additional uses of the assertion for some other purpose. > And, if the user changes his credentials at the IdP and he never logs off > from the SP (imagine he never gets timeout, nor anything) how does SAML > handle this? He will have a valid session for all of his lifetime or should > he be forced to authenticate himself again at some time? In the end, does > SAML play any part after a user changes his credentials ? How you manage sessions at the SP is up to you, modulo the use of SessionNotOnOrAfter from the IdP to provide an upper limit. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]