IDP SSO lifetime (30m or 8h)?

Don Faulkner donf at uark.edu
Wed May 30 16:25:47 BST 2012


I've heard several times that the default IdP session lifetime for SSO
is 8 hours. I take this to mean that I can authenticate to the IdP once,
say at 8am, and be able to SSO into other web pages all day long (fancy
things like forced re-auth, and not meeting authentication requirements
for the SP excepted).

I've also found documentation[1][2] that indicates that the default
session lifetime for AuthUserPass and individual SP's as relying parites
is 30 minutes. I remember reading somewhere else about confusion between
authentication method and session[3], and here it seems to indicate that
the default is 30 minutes, not 8 hours.

I need to change how long the IdP will keep an SSO session alive for, to
something between 4 and 8 hours. Have I found the right knobs, or is
there something else to adjust?
 

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
[2]
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSAML2SSOProfileConfig
[3] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession

-- 
me Don Faulkner, CISSP | IT Security <http://its.uark.edu/> at the
University of Arkansas <http://www.uark.edu/>
contact>> donf at uark.edu <mailto:donf at uark.edu> | +1 (479) 575-2905
connect>> uarkITS on Facebook <http://www.facebook.com/uarkITS> | @uaits
<http://twitter.com/uaits> | @dfaulkner <http://twitter.com/dfaulkner>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120530/42c14b3b/attachment.html 


More information about the users mailing list