1 / 18

Dynamic Sessions

Dynamic Sessions. OASIS Security Services Face to Face #3 June 25, 2001. Motivation.

dunne
Télécharger la présentation

Dynamic Sessions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dynamic Sessions OASIS Security Services Face to Face #3 June 25, 2001

  2. Motivation The purpose of Dynamic Sessions is to allow the federation of SAML-aware applications into a cooperative ecosystem that presents users and administrators with a single, global login session across all of the participating applications in the ecosystem.

  3. 1 Authenticate User 3 Access 2 Access 4 Re-Access Static Sessions Authentication Authority Application #2 Timeout in: TA2 + 2 Application #1 Timeout in: TA1` + 1 Timeout in: TA1 + 1

  4. 1 Authenticate User 3 Access 2 Access 4 Re-Access Dynamic Sessions Authentication Authority Application #2 Timeout in: TA2 + 2 Timeout in: TA1` + 2 Application #1 Timeout in: TA1` + 1 Timeout in: TA1 + 1 Timeout in: TA2 + 1

  5. Terms Local Session – A set of state information shared between a client application and the Resource Manager. This information is used for tracking the users activity within the overall system. Example implementation: javax.servlet.http.HttpSession. Global Session – The union of the set of local sessions maintained by various Resource Managers that apply to the same Principal and Authentication Assertion. Resource Manager – An Entity within a distributed system that is responsible for managing resources. A Resource Manager can encapsulate or be closely coupled with a PEP. Session Authority – The System Entity responsible for maintaining Global Session state and issuing Session Assertions.

  6. Terms (continued) Session Assertion – A SAML Assertion that contains information about the state of a Global Session and (possibly) references to the Authentication Assertion that was used to initiate the session. Session Participant – A Resource Manager that normally tracks and maintains Local Sessions which has also chosen to participate in the Global Sessions system.

  7. Participation in Dynamic Sessions is . . . • Voluntary – Applications can be SAML compliant without participating in Dynamic Sessions. • Granular – Applications can choose to participate in the Dynamic Session system to a degree appropriate to their goals.

  8. Supported Operations • Session Request • User Session Termination • Admin Session Termination • Timeout

  9. 1 Authenticate 6 User 7 2 4 3 Access 5 Re-direct Session Request Authentication Authority Session Authority Session Management Client Application #2 Session Management Client Application #1

  10. 1 Logout User 3 2 User Logout Authentication Authority Session Authority Session Management Client Application #2 Session Management Client Application #1

  11. 1 3 Logout User 2 Administrator Admin Logout Authentication Authority Session Authority Session Management Client Application #2 Session Management Client Application #1

  12. Timeout • Timeout Decision – The decision by a Session Authority that a particular Global Session has been inactive for a length of time that exceeds its configured timeout value. • Timeout Execution – The notification by the Session Authority to the Participants of a Global Session that the Global Session has timed out. In practice this would behave very much like the “Admin Logout” scenario.

  13. User Timeout Decision Algorithm #1 Authentication Authority Session Authority Session Management Client Application #2 Session Management Client Application #1

  14. User Timeout Decision Algorithm #2 Authentication Authority Session Authority Session Management Client Application #2 Session Management Client Application #1

  15. Timeout Decision (cont’d) There are two interesting possibilities for the relationship between Global Session Timeouts and Local Session Timeouts: either the Local Session Timeout exceeds the Global Session Timeout, or the Global Session Timeout exceeds the Local Session Timeout.

  16. Local Timeout Exceeds Global Timeout • Global Session expires. • Session Authority terminates Local Sessions.

  17. Global Timeout Exceeds Local Timeout • Local Session expires. • Local session manager may either • Ignore the status of the Global Session, or • Query the Session Authority for status of the Global Session and (if the Global Session is alive) either • Extend Local Session by some grace period, or • Mirror status of Global Session (i. e. keep Local Session alive for as long as the Global Session is alive).

  18. Session Participation Election Resource Managers may elect to participate in Dynamic Sessions by either: • Out of band configuration. • Dynamic discovery of the Session Authority by inspection of the Authentication Assertion followed by registration of the Local Session with the Session Authority.

More Related