OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] W-15 Delegation and Intermediaries - specificsuggestions

ext Scott Cantor wrote:

> 1. Lifetime
> RL Bob already mentioned changing the assertion validity to represent the
> token/session lifetime instead of the bearer delivery window. As of now,
> about the only loss of function to that I see is the IdP having some control
> over that window instead of leaving it to the SP.
> A related change would be adding the ability to request the SSO assertion
> with a specific validity lifetime, which probably has some relation to the
> session question. As it stands now, without an explicit session construct
> presented (so far), I would be inclined to say that the lifetime of a SSO
> assertion should correspond to the session length indicated to the SP by the
> IdP (obviating the need for the ID-FF <ReauthenticateOnOrAfter> element).

Just addressing this question - I think it would certainly simplify 
matters for session management in the protocol if the above were the case.

The SSO assertion lifetime would be the session lifetime, and the ID on 
the assertion would be the session index. In a logout, the ID of the 
assertion could be used to accurately target the "session".

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]