Friday, June 29, 2007

Schrodinger's SSO


If a user SSOs into an SP, and then some amount of time goes by, during which the user's original session at the IDP has a 50% chance of expiring, is it not the case that, from the SP's PoV, the user can be considered to be in a superposition of signed-in and signed-out states at the IDP?

And, only once the SP asked the IDP for a new authentication assertion (with saml:ForceAuthn='false' or equivalent), would the user's authentication wave collapse into one of the two states - this result manifested in the IDP response?

1 comment:

benoitb said...

Just excellent !