[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] W-15 Delegation and Intermediaries - specificsuggestions
ext Scott Cantor wrote: > > 1. Lifetime > > RL Bob already mentioned changing the assertion validity to represent the > token/session lifetime instead of the bearer delivery window. As of now, > about the only loss of function to that I see is the IdP having some control > over that window instead of leaving it to the SP. > > A related change would be adding the ability to request the SSO assertion > with a specific validity lifetime, which probably has some relation to the > session question. As it stands now, without an explicit session construct > presented (so far), I would be inclined to say that the lifetime of a SSO > assertion should correspond to the session length indicated to the SP by the > IdP (obviating the need for the ID-FF <ReauthenticateOnOrAfter> element). Just addressing this question - I think it would certainly simplify matters for session management in the protocol if the above were the case. The SSO assertion lifetime would be the session lifetime, and the ID on the assertion would be the session index. In a logout, the ID of the assertion could be used to accurately target the "session". - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]