Public Comment

[comment-form@oasis-open.org]

Comment from: glenn.benson@chase.com

JPMorgan Comments on SAML 2.0

The SAML 2.0 spec includes support for distributed logout.  However, the SAML 2.0 spec does not include support for distributed inactivity timeout.  JPMorgan considers inactivity timeout to be a non-negotiable issue explicitly required by the corporate security policy.  SAML 2.0's lack of support for distributed inactivity timeout may preclude adoption in many JPMorgan use cases.   Please see the examples below:

Use Case A:
1.  Client accesses site 1 and logs in
2.  Client accesses site 2, but does not need to present authentication credentials
3.  Client continues to access site 2 for a long period of time
4.  Client attempts to accesses site 1

Use Case B:
1.  Client accesses site 1 and logs in
2.  Client accesses site 2, but does not need to present authentication credentials
3.  Client leaves his or her computer unattended for a long period of time
4.  Client attempts to accesses site 1

In Use Case B Step 4, the JPMorgan policy explicitly requires that the user present authentication credentials before accessing site 1.  In Use Case A Step 4, the JPMorgan policy would consider an authentication event to be optional.  However, in order to support the business need for Single Sign-on, ergonomic issues would drive the business toward avoiding an authentication event.  In the particular case of a Portal as Site 1 and a business application as Site 2, the business may prohibit an authentication event in Use Case A Step 4.