OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Multiple AuthnStatements in Assertion

On 2/12/14, 9:19 AM, "Davis, Peter" <Peter.Davis@neustar.biz> wrote:

>I have worked on one large (15M) consumer-facing federation were this was
>critically important. One AuthNStatement was used for session management
>(session federation), and the second was used for delegation. They were
>separate because the durability of the delegation exceeded the durability
>of the session (different NotOnOrAfter values, among other distinctions).

That's also non-standard, which really illustrates the point I'm trying to
make. For the most part, delegation is simple to express using assertion
lifetime, separately from the SSO lifetime window, which is much shorter
and controlled with subject confirmation.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]