security-services message

Subject: Re: [security-services] Protocol extension for role change

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Rainer Hoerbe <rainer@hoerbe.at>
Date: Wed, 9 Nov 2016 01:13:25 +0000

On 11/8/16, 2:35 PM, "Rainer Hoerbe" <rainer@hoerbe.at> wrote:

> The officer is primarily working on cases, not applications. The officer will use multiple applications with SSO.
> When switching to a new case from a different agency all settings must change. (Except interruptions by
> customer calls).

I see, that wasn't clear.

> BTW, this use case is actually implemented this way in our legacy SSO system.

If it uses a shared cookie, I can see how. If not, I don't. SLO isn't practical now, if it ever was, so given your requirements, I don't know how to meet them practically.

It's not really so much whether this is specifiable, obviously it is, it's just not implementable.

I would probably argue for some other approach involving some kind of polling for the role. Perhaps the software could detect a lag in activity and when the user comes back "re-certify" the status using an API. Seems like a good OAuth use case.

-- Scott

Follow-Ups:
- Re: [security-services] Protocol extension for role change
  - From: Rainer Hoerbe <rainer@hoerbe.at>
- Re: [security-services] Protocol extension for role change
  - From: "Cantor, Scott" <cantor.2@osu.edu>

References:
- Protocol extension for role change
  - From: Rainer Hoerbe <rainer@hoerbe.at>
- RE: [security-services] Protocol extension for role change
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [security-services] Protocol extension for role change
  - From: Rainer Hoerbe <rainer@hoerbe.at>
- RE: [security-services] Protocol extension for role change
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [security-services] Protocol extension for role change
  - From: Rainer Hoerbe <rainer@hoerbe.at>