Skip to Content.
Sympa Menu

shibboleth-dev - RE: NameIdentifier TTL

Subject: Shibboleth Developers

List archive

RE: NameIdentifier TTL


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: NameIdentifier TTL
  • Date: Sun, 11 Dec 2005 15:10:10 -0500
  • Organization: The Ohio State University

> But no matter what you do, SAML supplies no syntax for talking about the
TTL
> of a NameID.

Actually, I have to soften that...in 2.0, you can encrypt a signed assertion
into an EncryptedID, and the semantics of that are such that if the signed
assertion is limited in some way (like expiration), then the relying party
can use that to reject the attempt to use the NameID inside it. Liberty WSF
2.0 uses this feature in their identity tokens that are used like tickets to
reference principals.

But the semantic is more "limits on the use of the identifier" and not
really "expiration of the identifier".

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page