If a user SSOs into an SP, and then some amount of time goes by, during which the user's original session at the IDP has a 50% chance of expiring, is it not the case that, from the SP's PoV, the user can be considered to be in a superposition of signed-in and signed-out states at the IDP?
And, only once the SP asked the IDP for a new authentication assertion (with saml:ForceAuthn='false' or equivalent), would the user's authentication wave collapse into one of the two states - this result manifested in the IDP response?
1 comment:
Just excellent !
Post a Comment