-
Created by
Tapio Hakala, last updated on Jul 05, 2024
2 minute read
In Finnish
In SAML2, session lengths are determined both in IdP and SP. The operation experienced by the user is made up of their common whole, even if they are not particularly synchronized with each other.
IdP settings
The basic settings are set conf/idp.properties -file.
# Inactivity timeout idp.session.timeout = PT8H # Default lifetime and timeout of various authentication methods idp.authn.defaultLifetime = PT8H idp.authn.defaultTimeout = PT60M
In the example, IdP saves the user's session for eight hours (idp.session.timeout = PT8H). The value must be at least as long as idp.authn.defaultLifetime.
In the example, the duration of the user's single login is set to eight hours (idp.authn.defaultLifetime = PT8H). This one-time login works for 8 hours from the first login, if the user is active in the IdP once an hour (idp.authn.defaultTimeout = PT60M). If the user does not visit the IdP within that 60 minutes, the one-time login expires and the user is required to authenticate again the next time. In other words, the user can log in to the IdP once for eight hours, as long as each new log in takes place every hour at the most.
In the example, the same times apply to all identification devices. If different times are desired per authentication device, they can be configured in the conf/authn/general-authn.xml file. Example: https://wiki.shibboleth.net/confluence/display/IDP30/SessionConfiguration#SessionConfiguration-AdvancedSecurityPolicyExample
# Track information about SPs logged into idp.session.trackSPSessions = true # Length of time to track SP sessions idp.session.defaultSPlifetime = PT8H # Extra time to store sessions for logout idp.session.slop = P1D
In order for the IdP to know which SPs the user is logged into, the tracking of SP sessions must be turned on (idp.session.trackSPSessions = true). In this case, the IdP can send a logout request to the SP used by the user. In addition, it is necessary to tell how long the IdP keeps information about the user's login to a different SP (idp.session.defaultSPlifetime = PT8H), in order to know how to send logout responses and requests to the SP. In addition, additional time can be set for logout (idp.session.slop = P1D), which is calculated on top of the starting defaultSPlifetime.
The IdP can set the duration of the session created by the SP with the SessionNonOnOrAfter attribute in the AuthnStatement element. This should define the time when the SP can send logout requests. In practice, however, not all SPs respect the regulation. In this case, the IdP cannot know the duration of the sessions of the SPs and we have to make the best estimate of them and the needs of the users of the IdP. The disadvantage of storing sessions is the consumption of resources, so it is not advisable to save sessions for an indefinite period of time.