Shibboleth Developers

[Peter Schober <>]

* André Cruz 
<>
 [2009-02-26 14:50]:
> On Feb 26, 2009, at 13:43 , Chad La Joie wrote:
>> André Cruz wrote:
>>> No. Most people think this means that the probability of the user  
>>> being
>>> who he says he is is bigger.
>>
>> Really?  That's not what I've heard any app developer say.
>
> That's exactly what Peter Schober said:
>
> Peter Schober wrote:
> "Some of our SPs were expecting to increase the likelihood that the
> correct person is accessing their resource by using forceAuthn."
>
> At least that's the way I read it.

Mostly, yes. I actually started out with a negative sentence, but
restructured to make it simpler/easier (bad idea ;)
Let me put it this way:

Some of our SPs were expecting to decrease the likelihood of some
unidentified person walking up to a PC (e.g. one of those locked-down
kiosk PCs in parts of our own university, where you can't close the
browser or delete cookies) and be able to reuse someone else's
"leftover" SSO session. Very probably this will happen by mistake and
does not require bad intent on part of the next person using that
kiosk.

Obviously those kiosks need to get fixed (to allow ending your
session, clearing up all data), but in principle the same applies to
other PCs, kiosks, etc. which we have even less influence.

A button on the IdP login.jsp to disable the previous session handler
for this one session might also help here, is that a feature request
you would consider?

cheers,
-peter

-- 

 - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140