OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services-comment] Public Comment

Hi Glenn,

This topic was proposed as a SAML 2.0 deliverable but ultimately
deferred to a post-SAML 2.0 timeline. I think the main issue was timing
and deadlines.

You can find relevant discussion at:

http://lists.oasis-open.org/archives/security-services/200402/msg00010.h
tml

http://lists.oasis-open.org/archives/security-services/200402/msg00091.h
tml


I would encourage you to propose this as a work-item once SAML 2.0 is
complete. From the links above, you can see that a number of people were
interested in including this type of functionality within SAML.


- prateek



-----Original Message-----
From: comment-form@oasis-open.org [mailto:comment-form@oasis-open.org] 
Sent: Tuesday, November 02, 2004 11:56 AM
To: security-services-comment@lists.oasis-open.org
Subject: [security-services-comment] Public Comment

Comment from: glenn.benson@chase.com

JPMorgan Comments on SAML 2.0

The SAML 2.0 spec includes support for distributed logout.  However, the
SAML 2.0 spec does not include support for distributed inactivity
timeout.  JPMorgan considers inactivity timeout to be a non-negotiable
issue explicitly required by the corporate security policy.  SAML 2.0's
lack of support for distributed inactivity timeout may preclude adoption
in many JPMorgan use cases.   Please see the examples below:

Use Case A:
1.  Client accesses site 1 and logs in
2.  Client accesses site 2, but does not need to present authentication
credentials
3.  Client continues to access site 2 for a long period of time
4.  Client attempts to accesses site 1

Use Case B:
1.  Client accesses site 1 and logs in
2.  Client accesses site 2, but does not need to present authentication
credentials
3.  Client leaves his or her computer unattended for a long period of
time
4.  Client attempts to accesses site 1

In Use Case B Step 4, the JPMorgan policy explicitly requires that the
user present authentication credentials before accessing site 1.  In Use
Case A Step 4, the JPMorgan policy would consider an authentication
event to be optional.  However, in order to support the business need
for Single Sign-on, ergonomic issues would drive the business toward
avoiding an authentication event.  In the particular case of a Portal as
Site 1 and a business application as Site 2, the business may prohibit
an authentication event in Use Case A Step 4.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]