OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SAML Rev Idea: General Session Index


At the risk of opening a can of worms, I wanted to toss out an idea
for inclusion in the SAML rev.

Currently, an attribute query, as defined, is stateless (i.e., it's
not correlated with any session on the IdP).  This is in contrast to
the logout request which carries within it a session identifier (i.e.
<SessionIndex>).

In the Shibboleth IdP we ran in to the general case where a user
establishes multiple sessions (e.g., by logging in from multiple
browsers), with the same user name identifier.  Then when an SP
performs an attribute query the IdP has no way to choose which session
is the "right" one.  The specific issue we had was that an IdP was
pushing environmental information (user-agent IP address in this case)
in to the session and the two sessions were opened on different
networks (user had a laptop logged in once at work and then walked
home [it was in Europe, they walk there] and logged in again).

So, my question is, do we want to add an optional SessionIndex to the
<AttributeQuery> or, more generally to the SubjectQueryAbstractType or
RequestAbstractType, in order to allow for, but not mandate, session
correlation?

I believe doing this allows:
 - us to deal with the case I mentioned above
 - the IdP to implement additional security checks (e.g., an IdP could
check that an artifact issues under session A was being resolved under
that sessions)
 - front-channel NameID management messages (something that also just
came up with Shib) to be correlated to a session

-- 
Chad La Joie
www.itumi.biz
trusted identities, delivered


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]