I suspect that the majority of the Federation cases will fall along
these lines, and that this rule will be too restrictive.
A SAML assertion will be short lived. A Virtual machine agreement will
be longer (for the most part) and most IdPs will not be sending out
revocation events. I'd argue that most people are ok with this in
general, but will want to have some sort of "I pay for the account, I
can cut off the account" agreement from a specific user or set of users.
On 11/08/2013 07:18 AM, David Chadwick wrote:
Hi Guys
we discussed what to do in federation when the assertions have a
particular time duration, but the user wishes to delegate permissions
or start a job for longer than this duration. What should we do?
Firstly we should not do this in general as it is an escalation of
privileges.
However, if the IDP says, when the federation is set up (as part of
the federation agreement), that it will send user revocation
notifications to those SPs to whom it has issued user assertions
within a specified time frame (this time would be federation specific,
but could be set to say 7 days for assertions of duration 24 hours)
then the SPs now have a maximum time that they can escalate a user's
assertion up to, if the user starts a job or delegates privileges etc.
from an assertion of shorter duration.
regards
David
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
