OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Security Consideration for Session

The SAML Session Profile provides a standardized way for multiple SPs that all trust the same IdP to maintain a common session via a trusted session service.


SAML allows you to use this or use a proprietary session scheme in conjunction with the SSO profiles. But in general to provide SSO among several SPs it is necessary to implement some kind of session service.


I am not sure what you meant by “what about when we have corrupt in network” Either the IDP is trusted by the SPs or it is not. The network is always considered to be untrustworthy. If no trusted IdP is available, the only option is a local login, but most SPs don’t have the ability to do this. (e.g. lack access to the account repository)


The SAML Session Profile was written under the assumption that one of the SSO Profiles is being used with it.


I hope this helps.




From: Mahzad Zahedi [mailto:mahzad.zahedi@gmail.com]
Sent: Saturday, October 15, 2016 1:56 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Security Consideration for Session




we are using SP initiated SSO profile and HTTP Post Binding.

 Is it necessary to maintain session when SP wants to use another service after authenticate to Idp?


what about when we have corrupt in network ? Is it necessary to reauthenticate after authenticate to idp?


Can I use Session Token Profile with SSO Profile for session management?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]