Presentation on theme: "Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001."— Presentation transcript:
Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001
Motivation The purpose of Dynamic Sessions is to allow the federation of SAML-aware applications into a cooperative ecosystem that presents users and administrators with a single, global login session across all of the participating applications in the ecosystem.
Static Sessions User Authentication Authority Application #2 Application #1 1 Authenticate 2 Access 3 Timeout in: TA 2 + 2 4 Re-Access Timeout in: TA 1 + 1 Timeout in: TA 1 ` + 1
Dynamic Sessions User Authentication Authority Application #2 1 Authenticate 2 Access 3 Timeout in: TA 2 + 2 4 Re-Access Timeout in: TA 1 + 1 Timeout in: TA 2 + 1 Timeout in: TA 1 ` + 1 Application #1 Timeout in: TA 1 ` + 2
Terms Local Session Local Session – A set of state information shared between a client application and the Resource Manager. This information is used for tracking the users activity within the overall system. Example implementation: javax.servlet.http.HttpSession.javax.servlet.http.HttpSession Global Session Global Session – The union of the set of local sessions maintained by various Resource Managers that apply to the same Principal and Authentication Assertion. Resource Manager Resource Manager – An Entity within a distributed system that is responsible for managing resources. A Resource Manager can encapsulate or be closely coupled with a PEP. Session Authority Session Authority – The System Entity responsible for maintaining Global Session state and issuing Session Assertions.
Terms (continued) Session Assertion Session Assertion – A SAML Assertion that contains information about the state of a Global Session and (possibly) references to the Authentication Assertion that was used to initiate the session. Session Participant Session Participant – A Resource Manager that normally tracks and maintains Local Sessions which has also chosen to participate in the Global Sessions system.
Participation in Dynamic Sessions is... Voluntary Voluntary – Applications can be SAML compliant without participating in Dynamic Sessions. Granular Granular – Applications can choose to participate in the Dynamic Session system to a degree appropriate to their goals.
Timeout Timeout Decision Timeout Decision – The decision by a Session Authority that a particular Global Session has been inactive for a length of time that exceeds its configured timeout value. Timeout Execution Timeout Execution – The notification by the Session Authority to the Participants of a Global Session that the Global Session has timed out. In practice this would behave very much like the “Admin Logout” scenario.
Timeout Decision (cont’d) There are two interesting possibilities for the relationship between Global Session Timeouts and Local Session Timeouts: either the Local Session Timeout exceeds the Global Session Timeout, or the Global Session Timeout exceeds the Local Session Timeout.
Local Timeout Exceeds Global Timeout 1.Global Session expires. 2.Session Authority terminates Local Sessions.
Global Timeout Exceeds Local Timeout 1.Local Session expires. 2.Local session manager may either A.Ignore the status of the Global Session, or B.Query the Session Authority for status of the Global Session and (if the Global Session is alive) either i.Extend Local Session by some grace period, or ii.Mirror status of Global Session (i. e. keep Local Session alive for as long as the Global Session is alive).
Session Participation Election Out of band configuration. Dynamic discovery of the Session Authority by inspection of the Authentication Assertion followed by registration of the Local Session with the Session Authority. Resource Managers may elect to participate in Dynamic Sessions by either: