shibboleth-dev - NameIdentifier TTL
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Shibboleth Development <>
- Subject: NameIdentifier TTL
- Date: Fri, 9 Dec 2005 21:53:46 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=KIHOOQsyCgdINVLQNsFeVRPTQcbnU/AFeDHY4ts1KT7y6DpzDvpexUj6ZfyxzPX3Fwz7m96x1EHJGWqscIuimk32ZwdkdplGI6Ff7QlRZzR4vRWx2k75ml4SlT8NxjzVXxzWD3EkgdC+9p190s0nQI7z/VC3I2wTSUrVDRC52ws=
Briefly, an IdP-first non-browser profile with attribute pull:
1. A (non-browser) client retrieves an authentication assertion from an IdP.
2. The client uses the assertion to authenticate to a CA (in a
different domain) who issues a short-lived X.509 credential.
3. The client presents the X.509 EEC to a Grid SP (in yet another
domain) who turns around and issues an attribute query to the AA.
Problem: The time-to-live of the NameIdentifier in the assertion
should match that of the X.509 cert. How is this best accomplished?
Thanks,
Tom
- NameIdentifier TTL, Tom Scavo, 12/09/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
Archive powered by MHonArc 2.6.16.