shibboleth-dev - Re: HS/ISO interface
Subject: Shibboleth Developers
List archive
- From: "Michael A. Grady" <>
- To: ,
- Subject: Re: HS/ISO interface
- Date: Tue, 20 Nov 2001 10:05:33 -0600 (CST)
Actually, we've always had two time values -- idle time, and session time.
Most apps use idle time to determine when to require re-authentication,
not the elapsed session time. I'm not actaully sure what our Apache
module for Bluestem stuffs them into (as far as variable names), as I've
always used our subroutine API to get the information.
> From: "Scott Cantor"
> <>
> To:
> <>
> Subject: HS/ISO interface
> Date: Tue, 20 Nov 2001 10:28:50 -0500
> X-MSMail-Priority: Normal
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> X-OriginalArrivalTime: 20 Nov 2001 15:28:50.0186 (UTC)
FILETIME=[0DD286A0:01C171D8]
> X-Listprocessor-Version: 8.2.09/990901/11:28 -- ListProc(tm) by CREN
>
>
> I don't think this issue is complex enough to need any kind of
> "proposal", but I had one question. REMOTE_USER is obviously the place
> to specify the username be placed by the ISO layer for the HS to pick
> up, but is there any commonality in passing session lifetime?
>
> I use AUTH_LIFETIME (chosen to match AUTH_TYPE and some other AUTH_*
> headers that are somewhat standard), but I just picked it. What does
> pubcookie use? This should probably just be a "high vote wins" thing, I
> guess.
>
> I presume specifying it be in seconds wouldn't be too controversial,
> though.
>
> We don't need to specify what, if anything, the HS should do with the
> lifetime information. I don't know myself what would make sense. Does
> Kerberos issue service tickets that extend beyond the life of the TGT
> that asks for them?
>
> -- Scott
>
>
--
Michael A. Grady
Senior Research Programmer http://ljordal.cso.uiuc.edu
Computing & Communications Services Office (217) 244-1253 phone
University of Illinois at Urbana-Champaign (217) 265-5635 fax
Rm. 103, MC 680, 2212 Fox Drive, Suite C Champaign, IL 61820
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- HS/ISO interface, Scott Cantor, 11/20/2001
- <Possible follow-up(s)>
- Re: HS/ISO interface, Michael A. Grady, 11/20/2001
- RE: HS/ISO interface, Scott Cantor, 11/20/2001
- RE: HS/ISO interface, Michael A. Grady, 11/20/2001
Archive powered by MHonArc 2.6.16.