[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Protocol extension for role change
I am working on a proposal to add a capability to change the role in a SAML WebSSO session. E.g. a teacher working for two schools, or a government office having one set of privileges in her regular back office job, and a second, wider set of privileges when intermittently acting as deputy for her manager. Whenever a role change is required, the user should be able to select the new role without logging off, and the role change needs to be propagated to all active SP sessions to avoid confusing the user. I came up with the plan to use the Extensions element in the LogoutRequest to signal the desired action, which would support following flow: 1. SP initiates logout, including a „Extensions/ContextChange“ element in the LogoutRequest; 2. IDP propagates the logout to other SP with active sessions; 3. User selects new role, which is kept in the user’s IDP session; 4. IDP issues a new Assertion to the SP with attributes set for the selected role 5. Access to any other SP will not require user interaction. SPs will send and AuthnRequest and receive the new set of attributes. An alternative would be for the SP to issue a AuthnRequest instead of the LogoutRequest, but I see no clean way to propagate the role change to other SPs. Does anybody know of a similar use case, and which design was selected? Any other comments? Thanks, Rainer
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]