OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] NotOnOrAfter in SubjectConfirmationData and Conditions and SessionNotOnOrAfter


On 4/10/15, 5:16 AM, "Anders Abel" <anders@abel.nu> wrote:

>Hello, 
> 
>In the SAML2 specification there are several places in an assertion where it is possible to specify a lifetime.
> 
>The <SubjectConfirmationData> element contains a NotOnOrAfter attribute.
>The <Conditions> element contains a NotOnOrAfter attribute.
>The <AuthnStatement> element contains a SessionNotOnOrAfter attribute.
> 
>What is the meaning of each of them? How do they relate to each other?

The Conditions window addresses general validity of an assertion, and validity is described at length in core.

The SubjectConfirmation's validity applies solely to the window during which it's possible to confirm the subject's right to use the assertion in a particular manner. SubjectConfirmation is what turns a SAML assertion (data) into a security token that gets used to authenticate some party in an application. So it limits when the token has security semantics in a particular way.

SessionNotOnOrAfter is about IdPs limiting session lifetime at an SP when a session is based on the authentication statement.

> 
>Specifically, which of them must be checked when...

The requirements in core are invariant. You CANNOT accept an assertion as valid if the Conditions aren't valid, and you CANNOT apply a SubjectConfirmation evaluation to one that has expired. Beyond that, it's a profile consideration and which values are expected to be used is something the profile should speak to. The SSO profile does speak to them.


-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]