[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] NotOnOrAfter in SubjectConfirmationData and Conditions and SessionNotOnOrAfter
On 4/13/15, 6:06 AM, "Anders Abel" <anders@abel.nu> wrote: > >* The SubjectConfirmationData/@NotOnOrAfter attribute is the time window during which the assertion can be tied to the subject. If the SP establishes a session, it must be done within this time frame (Web SSO Profile 4.1.4.3), but the session can continue long after that time. Yes. >* The Conditions/@NotOnOrAfter attribute is the longest possibility to trust the information in the assertion. During this time it is possible to forward the Assertion to another service to act on behalf of that (such as an SP calling a backend SOAP service). Just having valid conditions doesn't mean you can forward an assertion without violating any number of other constraints or just ignoring security. It is necessary but not sufficient to have a longer lived assertion to do that sort of thing. There are no standardized SAML profiles that are correctly designed that handle forwarding or delegation. There are some around that are not standardized of course. >* The SessionNotOnOrAfter sets an absolute limit to the SP session. > >Is that correct? Insofar as an SP is willing to listen, yes. > >One thing is still unclear to me though, and it is the relation between Conditions/@NotOnOrAfter and SessionNotOnOrAfter. There is none. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]