|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
The IDP is now issuing Assertions with a AuthnStatement.SessionIndex.
For now, the SessionIndex value is the same as the Assertion ID. As defined by the specs (saml-core-2.0-os.pdf):
"In general, any string value MAY be used as a SessionIndex value. However, when privacy is a
consideration, care must be taken to ensure that the SessionIndex value does not invalidate other
privacy mechanisms. Accordingly, the value SHOULD NOT be usable to correlate activity by a principal
across different session participants. Two solutions that achieve this goal are provided below and are
RECOMMENDED:
• Use small positive integers (or reoccurring constants in a list) for the SessionIndex. The SAML
authority SHOULD choose the range of values such that the cardinality of any one integer will be
sufficiently high to prevent a particular principal's actions from being correlated across multiple session
participants. The SAML authority SHOULD choose values for SessionIndex randomly from within
this range (except when required to ensure unique values for subsequent statements given to the
same session participant but as part of a distinct session).
• Use the enclosing assertion's ID value in the SessionIndex"
Also, logout requests are always including the SessionIndex element.