Shibboleth Developers

[Tom Scavo <>]

On 12/15/05, Scott Cantor 
<>
 wrote:
>
> > General (SAML2) questions:
> > - Do either SubjectConfirmationData/@NotOnOrAfter or
> > Conditions/@NotOnOrAfter implicitly refer to the lifetime of
> > Subject/NameID?  (Yes, I'm still having trouble with the semantics of
> > transient identifiers.)
>
> No, not in the least. They refer to the window in which the confirmation can
> happen in a profile, nothing more.

The first one does that, yes, but what about the second
(Conditions/@NotOnOrAfter)?  How can the assertion be "valid" if the
NameID is invalid?

> Transients have no requirement on lifetime whatsoever. They can be useless
> the instant the assertion leaves the issuer or last for years (dumb, but
> legal). The whole point is to not promise anything at all.

Yeah, this is off topic (I really should send this to saml-dev) but I
think transient identifiers are woefully underspecified.  The
Shibboleth language was inherited by SAML 2.0, but I'm left with an
empty feeling about them.  We've been trying hard to leverage
transients in GridShib but it has been very, very difficult.  We can't
make any assumptions about them, which renders them pretty useless for
our purposes.

I think profiles should have something to say about identifiers,
especially transients, but none of the SAML2 profiles even mentions
this.  I think that's a problem.

Tom