Shibboleth Developers

["Scott Cantor" <>]

> Are you suggesting to use the Conditions element for this purpose?

No, what I'm saying is that the notion of NameID TTL doesn't exist in SAML.
It also makes little sense except in one specific case, transient IDs. And
in that particular case, I don't see why it matters that it be separate,
because those are typically good for one "session" anyway.

> I thought about that, but this is not done today and would introduce new
> semantics into the assertion.  Today, as far as I can tell, the life
> of the assertion (given by the Conditions) and the life of the
> NameIdentifier are totally separate.  Specifically, the life of an
> authentication assertion is fixed while the life of an attribute
> assertion is dictated by the longest-lived attribute.

You're talking about Shibboleth. You started off by saying "non-browser", so
your use case is not Shibboleth or web SSO by definition. In Shibboleth,
they are separate, but the TTL of the NameID is not communicated, because it
can't be. 

> On second thought, using Conditions to convey the NameIdentifier TTL
> contradicts the short lifetime (5 min) principle associated with
> bearer assertions.  Is there any alternative?

It's once again a waste of time to try and do anything "right" in SAML 1.1.
So on that level, it's somewhat hopeless.

But separate from that, I don't see why the bearer credential needs to be
short lived, since this isn't a standard profile. For that matter, why is it
even a bearer credential? If you're going to turn around and issue
certificates, why not just have some mechanism to embed the public key in
the assertion up front, and then you combine that with TLS or something when
you deliver the assertion as input to the CA.

But no matter what you do, SAML supplies no syntax for talking about the TTL
of a NameID.

-- Scott