OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Time-out issue for first contact scenarios

In Passport and Shibboleth-like scenarios where a user accesses 
a protected RP-resource, and usually have to authenticate to his/her 
AA using an arbitrary amount of time (interrupted by 
a phone call, finding out the new password etc), a time-out may 
occur at the RP's side. And when the AA's
auth* is sent away through the user's browser, it may get 
rejected.  As SAML seems to often require "stateful" servers
(=usually meaning short time-outs), this could be a real PITA
for users.

I wonder how SAML is handling this.  In Purple, the AA can 
(with high precision) see that the RP's request has expired,
and [transparently for the user], in the background between the
AA and RP  "restart" the auth* process. Or actually revert to a
slightly modified AA=>RP contact model.

As this is a "pre-session" situation, SAML's proposed Session-
handling stuff would IMO not apply.

Any thoughts on this? 

Anders Rundgren 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC