security-services message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Outstanding assertions and NameID changes
- From: "Cahill, Conor P" <conor.p.cahill@intel.com>
- To: "OASIS Security Services TC" <security-services@lists.oasis-open.org>
- Date: Fri, 21 Apr 2006 07:06:40 -0700
When a SP changes a
SPProvidedNameID with the IdP, an interesting piece of information that could be
quite useful for the IdP to return to the SP would be an indication of the
whether or not there are any outstanding assertions and if so, what the
anticipated expiration time of the longest lasting
assertion.
This information
would be useful to the SP so that the SP would know the likely time needed to
"remember" its old SPProvidedNameID.
I would see the IdP
being able to say:
- I can't tell you
whether or not there are any outstanding tokens (this would be the behaviour
that matches the current protocol messages)
- I can tell you
there are outstanding assertins, but for various reasons I cant give you an
estimated expiration time.
- I can tell you that
there are outsanding assertions and the latest anticipated expiration time is
xyz.
Note that I don't
think this issue aplies to the IdP provided NameIds as the IDP should know when
any of its issued assertions using that nameID would expire and in general,
those assertions aren't typically generated for consumption at the
IdP.
Conor
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]