Search code examples
javasecurityoauthsamlscribe

Doubts on SAML and OAUTH

For sometime now I'm dealing with SAML and oauth. I have few questions and I would like to know if somebody clarifies my doubts -

  1. As per my understanding the validity of SAML response depends on the NotOnOrAfter attribute in SAML response as per SAML2 specification.
  2. How SP keeps the track of SAML request when SP gets back the response back from IdP? - I think this depends on the InResponseTo attribute in SAML response by IdP as per SAML2 specification.

I also need to know, how can I set the expiry time of OAUTH token. After googling I found that there is one attribute "expires_in" in OAUTH response which tells how long the token will be valid for but I am not sure how to use this using Scribe. I am using scribe to connect to different providers.

Solution
    1. Yes, the NotOnOrAfter attribute is part of the Conditions that decides when and how the response is valid.
    2. If the SP needs to keep track of the response, the SP can do that through the InResponseTo parameter. Please note that many SAML2 implementations allow unsolicited (i.e. Idp initiated) sessions, where the Idp sends a response without ever having recieved an AuthnRequest from the SP.