Alistair Young wrote:
>> The standard I2 Shib software creates (by default) logs of which
>> principal (read "username") logged in at what time, and what session ID
>> was issued.
> the IdP issues an Assertion with an AssertionID and IssueInstant. I
> can't see anything in the shibboleth profile that can be called a
> session id that an SP has access to.
SAML 1 doesn't have any notion of a "session" so there is nothing that
is meant to be a session identifier. It's really meant to be a single
requset/response pair so you have the IDs and then on the responses you
have the inResponseTo attribute.
SAML 2 has some extra fields that can carry more information but even in
Shibboleth it won't be the key to the IdP session but instead something
specific to the SP that can then be translated, by the IdP, to the
user's IdP session.
--
Chad La Joie 2052-C Harris Bldg
OIS-Middleware 202.687.0124
|