[openstack-dev] revocation and duration times

Adam Young ayoung at redhat.com
Tue Nov 12 02:19:11 UTC 2013


I suspect that the majority of the Federation cases will fall along 
these lines, and that this rule will be too restrictive.

A SAML assertion will be short lived.  A Virtual machine agreement will 
be longer (for the most part) and most IdPs will not be sending out 
revocation events.  I'd argue that most people are ok with this in 
general, but will want to have some sort of "I pay for the account, I 
can cut off the account" agreement from a specific user or set of users.


On 11/08/2013 07:18 AM, David Chadwick wrote:
> Hi Guys
>
> we discussed what to do in federation when the assertions have a 
> particular time duration, but the user wishes to delegate permissions 
> or start a job for longer than this duration. What should we do?
>
> Firstly we should not do this in general as it is an escalation of 
> privileges.
>
> However, if the IDP says, when the federation is set up (as part of 
> the federation agreement), that it will send user revocation 
> notifications to those SPs to whom it has issued user assertions 
> within a specified time frame (this time would be federation specific, 
> but could be set to say 7 days for assertions of duration 24 hours) 
> then the SPs now have a maximum time that they can escalate a user's 
> assertion up to, if the user starts a job or delegates privileges etc. 
> from an assertion of shorter duration.
>
> regards
>
> David
>
>




More information about the OpenStack-dev mailing list