[OpenID] RP library authors
Peter Williams
pwilliams at rapattoni.com
Fri Sep 11 18:47:00 UTC 2009
Several references are made to "session reset" - which is not a term I've heard anything about in 3 years of openid general discussions... It's apparently the SAML2 forceauthn=true handling requirement, with identical semantics. Nothing required the IdP or user to participate, though.
Some more thoughts on this aspect of the profile. Assuming the OP has a user-browser/tab -> IdP session (or multiple such sessions if the browser instances do not share session state), we cannot have the ridiculous situation that one RP (of the several to which assertions have been released) can be forcing reauthentication of the user (or dropping the IdP session such that communications with the other RPs are affected)
We don't want a situation that some class of RPs all decide to auto-reauth every 50 mins from receipt of the PayPal assertion, way, which makes for a continuous prompting of the user at the IDP to reauth, as all the 50 min expiry periods happen to go off.
What we need is for the RP to detect that a suitable positive assertion did not come back - despite request - and it cuts its own RP session (only). The destruction has no impact on any other RP session, or IDP->RP relationship tho.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090911/4eb30767/attachment.htm>
More information about the general
mailing list