shibboleth-dev - RE: NameIdentifier TTL
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: NameIdentifier TTL
- Date: Sat, 10 Dec 2005 21:37:40 -0500
- Organization: The Ohio State University
> Problem: The time-to-live of the NameIdentifier in the assertion
> should match that of the X.509 cert. How is this best accomplished?
I think you're mixing two independent issues, "duration of credential" and
"presence".
The former is the TTL of the cert, of course.
The latter is saying "I don't want the Grid SP to be able to query for
attributes unless there's some evidence of a recent authentication act to
the SAML authority".
If you overload the TTL of the cert with the TTL of the identifier in order
to combine the two concepts, then I suppose the simplest way to implement
that is to set the assertion's expiration to be the same and then copy that
over to the certificate.
-- Scott
- NameIdentifier TTL, Tom Scavo, 12/09/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/12/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/12/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/11/2005
- Re: NameIdentifier TTL, Tom Scavo, 12/11/2005
- RE: NameIdentifier TTL, Scott Cantor, 12/10/2005
Archive powered by MHonArc 2.6.16.