<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Eric Sachs wrote:
<blockquote
cite="mid:c4161f510907071047n62297e5axf287d835258c366d@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>The short version of my suggestion is that IDPs should be
"lazy." For any value of max_auth_age (including 0), the "lazy" can
ALWAYS perform a re-authentication before sending the user to the RP.
The IDP could also send along the "last authentication time" as well,
but it isn't particularly interesting in this case.</div>
<div><br>
</div>
</blockquote>
This is a good compromise that satisfies the use case that RPs seem to
be asking for - which is to be able to force the OP to re-authenticate
the user (verify the user's password) before returning a positive
assertion, while making it possible to optimize the user experience
later, if this becomes an issue.<br>
<br>
As a best practice, we should recommend that we use max_auth_age=0 as
the flag for this behavior to eliminate any ambiguity for implementers.
<br>
<br>
Speaking on behalf of the Yahoo OP, we will implement the "lazy"
behavior, with the recommendation that RPs that want to force a
password reprompt send max_auth_age=0 in the authentication request to
indicate this. Our experience within Yahoo is that applications that
actually care about the user's last authentication time almost always
elect to force a password re-verification, rather than try to determine
if the last authentication time is acceptable. Although this is can
sometimes result in a sub-optimal user experience, in which the user is
forced to enter their password multiple times within a short interval,
in practice, applications that actually care about this prefer to take
the conservative (and easier) approach of just unconditionally forcing
the password to be re-verified.<br>
<br>
<blockquote
cite="mid:c4161f510907071047n62297e5axf287d835258c366d@mail.gmail.com"
type="cite">
<div><span class="Apple-style-span" style="border-collapse: collapse;">In
the future we will hopefully find some aggressive early-adopters who
have a strong need for the more advanced max_auth_age flow, and they
can help define the best practices. But in the meantime, I'd suggest
that IDPs start with the "lazy" version and see how far it gets us.</span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse;"><br>
</span></div>
</blockquote>
Works for me!<br>
Allen<br>
<br>
</body>
</html>