Dynamic Sessions
OASIS Security Services Face to Face #3
June 25, 2001
Motivation
The purpose of Dynamic Sessions is to allow the
federation of SAML-aware applications into a
cooperative ecosystem that presents users and
administrators with a single, global login session
across all of the participating applications in the
ecosystem.
Static Sessions
Authentication
Authority
1
Authenticate
3
User
Access
42
Timeout in: TA2 + 2
Access
Re-Access
Timeout
Timeoutin:
in:TA
TA1`1 + 11
Application
#1
Application
#2
Dynamic Sessions
Authentication
Authority
1
Authenticate
3
User
Access
42
Timeout in: TA12`++22
Access
Re-Access
Timeout
Timeoutin:
in:TA
TA1`21 + 11
Application
#1
Application
#2
Terms
Local Session – A set of state information shared between a client
application and the Resource Manager. This information is used for
tracking the users activity within the overall system. Example
implementation: javax.servlet.http.HttpSession.
Global Session – The union of the set of local sessions maintained
by various Resource Managers that apply to the same Principal and
Authentication Assertion.
Resource Manager – An Entity within a distributed system that is
responsible for managing resources. A Resource Manager can
encapsulate or be closely coupled with a PEP.
Session Authority – The System Entity responsible for maintaining
Global Session state and issuing Session Assertions.
Terms (continued)
Session Assertion – A SAML Assertion that contains information
about the state of a Global Session and (possibly) references to the
Authentication Assertion that was used to initiate the session.
Session Participant – A Resource Manager that normally tracks and
maintains Local Sessions which has also chosen to participate in the
Global Sessions system.
Participation in Dynamic
Sessions is . . .
Voluntary – Applications can be SAML compliant
without participating in Dynamic Sessions.
 Granular – Applications can choose to participate
in the Dynamic Session system to a degree
appropriate to their goals.

Supported Operations

Session Request
 User Session Termination
 Admin Session Termination
 Timeout
Session Request
Authentication
Authority
Session
Authority
1
6
Authenticate
Session
Management
Client
7
User
4
3
Application
#2
2
Access
5
Session
Management
Client
Application
#1
Re-direct
User Logout
Authentication
Authority
Session
Authority
1
Logout
3
User
2
Session
Management
Client
Application
#2
Session
Management
Client
Application
#1
Admin Logout
Authentication
Authority
Session
Authority
3
User
1
2
Application
#2
Logout
Session
Management
Client
Administrator
Session
Management
Client
Application
#1
Timeout
Timeout Decision – The decision by a Session
Authority that a particular Global Session has
been inactive for a length of time that exceeds its
configured timeout value.
 Timeout Execution – The notification by the
Session Authority to the Participants of a Global
Session that the Global Session has timed out. In
practice this would behave very much like the
“Admin Logout” scenario.

Timeout Decision Algorithm #1
Authentication
Authority
Session
Authority
Session
Management
Client
User
Application
#2
Session
Management
Client
Application
#1
Timeout Decision Algorithm #2
Authentication
Authority
Session
Authority
Session
Management
Client
User
Application
#2
Session
Management
Client
Application
#1
Timeout Decision (cont’d)
There are two interesting possibilities for the
relationship between Global Session Timeouts and
Local Session Timeouts: either the Local Session
Timeout exceeds the Global Session Timeout, or the
Global Session Timeout exceeds the Local Session
Timeout.
Local Timeout Exceeds Global
Timeout
1.
2.
Global Session expires.
Session Authority terminates Local Sessions.
Global Timeout Exceeds Local
Timeout
1.
2.
Local Session expires.
Local session manager may either
A. Ignore the status of the Global Session, or
B. Query the Session Authority for status of the Global
Session and (if the Global Session is alive) either
i.
ii.
Extend Local Session by some grace period, or
Mirror status of Global Session (i. e. keep Local Session
alive for as long as the Global Session is alive).
Session Participation Election
Resource Managers may elect to participate in
Dynamic Sessions by either:

Out of band configuration.
 Dynamic discovery of the Session Authority by
inspection of the Authentication Assertion
followed by registration of the Local Session with
the Session Authority.