[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: one time use saml artifact (BETTER FORMATTING! FEWER TYPOS!)
> >>[Hal] > For example, what happens when the browser > >>goes to a second > >>site? Presumably they are redirected to the AP, but how does > >>the AP know > >>they are the "same" subject and not force them to > >>re-Authenticate? > > [Prateek] > The assumption is that the AP has some form of security engine > in place that can track its own authenticated users. Typically, > this takes place thru a session which is represented in some > form in an encrypted cookie and some additional state > information at the AP. Certainly, this is a strong assumption > but one which does seem to be met by a large class of security > systems. > > When the user returns to the AP, the AP examines the security > context of the user and determines if the user session is still > valid. Right. See my comments along this line in: http://middleware.internet2.edu/shibboleth/docs/draft-morgan-shibboleth-websso-00.txt and http://middleware.internet2.edu/shibboleth/docs/draft-morgan-shibboleth-session-00.txt Essentially this punts SSO to be an issue between the end-entity and the authentication service, just as initial sign-on is. This is certainly the Shibboleth design assumption. - RL "Bob"
Powered by eList eXpress LLC