SL1 - how to let IdP dictate RP session lifetime in OpenID Connect #60
Comments
aaronpk
changed the title
|
I think we need to see if there will be additional policy directives we want to convey from Enterprise IdP to RP or if its limited to max session lifetime. If there is a need for a more general way to convey a policy directive/obligation, then solving in the AB working group would make sense to me as an extension. An IdP evaluating a conditional access policy for example may want to constrain the downstream session is a specific way such as:
If we just want to keep this requirement focused to max session lifetime and can define the boundary of of "session", then I could see us just defining the claim as part of IPSIE profile and conformance. Curious what the group thinks |
|
Would IPSIE specify a maximum session lifetime? |
|
I would steer away from policy decisions like this within IPSIE, and stick to enabling enforcement of the IdP and RP policies between each other. |
|
This makes sense to me. There's a rich set of directives that might be expressed. I look forward to discussing this further to see whether it has a home in AB.
|
SAML defines the
SessionNotOnOrAfterclaim to give the IdP a way to tell the RP how long to set the session as a timestamp. There is no equivalent claim currently defined in OpenID Connect.We should decide whether to define this as an OpenID Connect extension in the AB working group, or just define a new ID token claim in IPSIE.
The text was updated successfully, but these errors were encountered: