[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services-comment] Public Comment
Hi Glenn, This topic was proposed as a SAML 2.0 deliverable but ultimately deferred to a post-SAML 2.0 timeline. I think the main issue was timing and deadlines. You can find relevant discussion at: http://lists.oasis-open.org/archives/security-services/200402/msg00010.h tml http://lists.oasis-open.org/archives/security-services/200402/msg00091.h tml I would encourage you to propose this as a work-item once SAML 2.0 is complete. From the links above, you can see that a number of people were interested in including this type of functionality within SAML. - prateek -----Original Message----- From: email@example.com [mailto:firstname.lastname@example.org] Sent: Tuesday, November 02, 2004 11:56 AM To: email@example.com Subject: [security-services-comment] Public Comment Comment from: firstname.lastname@example.org JPMorgan Comments on SAML 2.0 The SAML 2.0 spec includes support for distributed logout. However, the SAML 2.0 spec does not include support for distributed inactivity timeout. JPMorgan considers inactivity timeout to be a non-negotiable issue explicitly required by the corporate security policy. SAML 2.0's lack of support for distributed inactivity timeout may preclude adoption in many JPMorgan use cases. Please see the examples below: Use Case A: 1. Client accesses site 1 and logs in 2. Client accesses site 2, but does not need to present authentication credentials 3. Client continues to access site 2 for a long period of time 4. Client attempts to accesses site 1 Use Case B: 1. Client accesses site 1 and logs in 2. Client accesses site 2, but does not need to present authentication credentials 3. Client leaves his or her computer unattended for a long period of time 4. Client attempts to accesses site 1 In Use Case B Step 4, the JPMorgan policy explicitly requires that the user present authentication credentials before accessing site 1. In Use Case A Step 4, the JPMorgan policy would consider an authentication event to be optional. However, in order to support the business need for Single Sign-on, ergonomic issues would drive the business toward avoiding an authentication event. In the particular case of a Portal as Site 1 and a business application as Site 2, the business may prohibit an authentication event in Use Case A Step 4.