Dynamic sessions
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Dynamic Sessions PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Dynamic Sessions. OASIS Security Services Face to Face #3 June 25, 2001. Motivation.

Download Presentation

Dynamic Sessions

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Dynamic sessions

Dynamic Sessions

OASIS Security Services Face to Face #3

June 25, 2001


Motivation

Motivation

The purpose of Dynamic Sessions is to allow the federation of SAML-aware applications into a cooperative ecosystem that presents users and administrators with a single, global login session across all of the participating applications in the ecosystem.


Static sessions

1

Authenticate

User

3

Access

2

Access

4

Re-Access

Static Sessions

Authentication Authority

Application #2

Timeout in: TA2 + 2

Application #1

Timeout in: TA1` + 1

Timeout in: TA1 + 1


Dynamic sessions1

1

Authenticate

User

3

Access

2

Access

4

Re-Access

Dynamic Sessions

Authentication Authority

Application #2

Timeout in: TA2 + 2

Timeout in: TA1` + 2

Application #1

Timeout in: TA1` + 1

Timeout in: TA1 + 1

Timeout in: TA2 + 1


Terms

Terms

Local Session – A set of state information shared between a client application and the Resource Manager. This information is used for tracking the users activity within the overall system. Example implementation: javax.servlet.http.HttpSession.

Global Session – The union of the set of local sessions maintained by various Resource Managers that apply to the same Principal and Authentication Assertion.

Resource Manager – An Entity within a distributed system that is responsible for managing resources. A Resource Manager can encapsulate or be closely coupled with a PEP.

Session Authority – The System Entity responsible for maintaining Global Session state and issuing Session Assertions.


Terms continued

Terms (continued)

Session Assertion – A SAML Assertion that contains information about the state of a Global Session and (possibly) references to the Authentication Assertion that was used to initiate the session.

Session Participant – A Resource Manager that normally tracks and maintains Local Sessions which has also chosen to participate in the Global Sessions system.


Participation in dynamic sessions is

Participation in Dynamic Sessions is . . .

  • Voluntary – Applications can be SAML compliant without participating in Dynamic Sessions.

  • Granular – Applications can choose to participate in the Dynamic Session system to a degree appropriate to their goals.


Supported operations

Supported Operations

  • Session Request

  • User Session Termination

  • Admin Session Termination

  • Timeout


Session request

1

Authenticate

6

User

7

2

4

3

Access

5

Re-direct

Session Request

Authentication Authority

Session

Authority

Session

Management

Client

Application #2

Session

Management

Client

Application #1


User logout

1

Logout

User

3

2

User Logout

Authentication Authority

Session

Authority

Session

Management

Client

Application #2

Session

Management

Client

Application #1


Admin logout

1

3

Logout

User

2

Administrator

Admin Logout

Authentication Authority

Session

Authority

Session

Management

Client

Application #2

Session

Management

Client

Application #1


Timeout

Timeout

  • Timeout Decision – The decision by a Session Authority that a particular Global Session has been inactive for a length of time that exceeds its configured timeout value.

  • Timeout Execution – The notification by the Session Authority to the Participants of a Global Session that the Global Session has timed out. In practice this would behave very much like the “Admin Logout” scenario.


Timeout decision algorithm 1

User

Timeout Decision Algorithm #1

Authentication Authority

Session

Authority

Session

Management

Client

Application #2

Session

Management

Client

Application #1


Timeout decision algorithm 2

User

Timeout Decision Algorithm #2

Authentication Authority

Session

Authority

Session

Management

Client

Application #2

Session

Management

Client

Application #1


Timeout decision cont d

Timeout Decision (cont’d)

There are two interesting possibilities for the relationship between Global Session Timeouts and Local Session Timeouts: either the Local Session Timeout exceeds the Global Session Timeout, or the Global Session Timeout exceeds the Local Session Timeout.


Local timeout exceeds global timeout

Local Timeout Exceeds Global Timeout

  • Global Session expires.

  • Session Authority terminates Local Sessions.


Global timeout exceeds local timeout

Global Timeout Exceeds Local Timeout

  • Local Session expires.

  • Local session manager may either

    • Ignore the status of the Global Session, or

    • Query the Session Authority for status of the Global Session and (if the Global Session is alive) either

      • Extend Local Session by some grace period, or

      • Mirror status of Global Session (i. e. keep Local Session alive for as long as the Global Session is alive).


Session participation election

Session Participation Election

Resource Managers may elect to participate in Dynamic Sessions by either:

  • Out of band configuration.

  • Dynamic discovery of the Session Authority by inspection of the Authentication Assertion followed by registration of the Local Session with the Session Authority.


  • Login