[OpenID] About Facebook, MySpace and OpenID
Deron Meranda
deron.meranda at gmail.com
Sun Apr 5 16:27:10 UTC 2009
On Sun, Apr 5, 2009 at 10:59 AM, Peter Williams <pwilliams at rapattoni.com> wrote:
> Out of interest, what happens the second time (on the same OP session)?
>
> In the SAML websso protocol,...requires a recent act of user (re)authentication
> (using an RSA securid time-synced tokencode, typically) and reconfirmation
> that the member has an attribute indicating s/he is (still) in good standing
> with the IDP’s membership policies. ...
>
> Our OP/RP openid implementation happens to be a multi-stage gateway – SAML
> and openid auth protocol engines operating in a pretty common co-resident
> fashion ... If the SAML RP makes a followup request 5m later, with
> ispassive=true (no UI allowed), the same set of attributes will be required.
> There is no context for the second protocol run, given the first – that
> enable it to ask for more or less attributes the second time.
I don't know a lot about SAML, but it sounds like none of this is really
dependent upon Google's AX behavior. Perhaps there could be some
relevance with PAPE, but even then I'm not sure.
What kind of AX attributes were you envisioning that you'd want to
check every 5 minutes? And I'm not sure what kind of "context",
or lack of one that you are discussing.
--
Deron Meranda
More information about the general
mailing list