OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Authentication SAML

Filipa Moura wrote on 2009-09-09:
> I'm using SAML for SSO and use AuthNRequest from my SP. In the response I
> get an assertion signed by the IdP, containing the details about the
> authentication. But this assertion has <Conditions> that limit the time it
> is valid for "NotBefore" and "NotOnOrAfter". Suppose this assertion
> but the user is still logged in at my SP, however I need a new assertion
> just like the one I got when the user was authenticated at the IdP but for
> new time, I mean, so that it hasn't yet expired.

The lifetime of the assertion has nothing to do with the session at the SP.
The assertion's validity after the initial login only applies to additional
uses of the assertion for some other purpose.

> And, if the user changes his credentials at the IdP and he never logs off
> from the SP (imagine he never gets timeout, nor anything) how does SAML
> handle this? He will have a valid session for all of his lifetime or
> he be forced to authenticate himself again at some time? In the end, does
> SAML play any part after a user changes his credentials ?

How you manage sessions at the SP is up to you, modulo the use of
SessionNotOnOrAfter from the IdP to provide an upper limit.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]