[OpenID] OpenID Auth integrity vs data origin authentication

[Peter Williams]

We tend to look at WebSSO as an structured HTTP flow over a connection:
make assertion in some blob format, reference it via artifact#, receiver
goes and gets it. In OpenID Auth, earlier I noted how multiple pending
assertions can be stored in the initiator's session, easily:-

"1. The structure of the code suggests that a consumer could have
multiple outstanding tokens per ASP.NET sessionId, any one of which a
server could target when also presenting a FormsAuthentication cookie,
say."

If we look at work from SAML2 committee records, we see related
signaling discussion. It addresses querying for unexpired assertions,
per the excerpt below. OpenID Auth could be doing the same, presumably,
leveraging the above framework. It would be doing it for the same use
cases, presumably, as contemplated by the SAML2+ folk.

Presumably - an infrastructure for handling multiple outstanding
SAML/OpenID assertions is more relevant to a webservices SSO world,
rather than the traditional world of stateful, cookie-driven webSSO
facilitating easy access to HTML/XML/RDF documents.

-----------------

1 Deferred Issues for SAML V2.0

1.1 Outstanding Assertions and NameID Changes

First reported by: Conor Cahill on 21 April 2006

Message:
http://lists.oasis-open.org/archives/security-services/200604/msg00021.h
tml

When a SP changes a SPProvidedNameID with the IdP, an interesting piece
of information that could be
quite useful for the IdP to return to the SP would be an indication of
the whether or not there are any
outstanding assertions and if so, what the anticipated expiration time
of the longest lasting assertion.