postdata and Session timeout

Cantor, Scott cantor.2 at
Tue Feb 19 17:38:15 EST 2013

On 2/19/13 5:23 PM, "Robshaw, David A. (GSFC-423.0)[ASRC RESEARCH &
TECHNOLOGY SOLUTIONS]" <david.a.robshaw at> wrote:

>I have two applications authenticated with shibboleth.  Activity using
>either application will extend my 'single' session.  I log into App1.  I
>access App2 (no login required as session was created by App1).

I don't know what app1 or app2 mean here, you're going to have to be more
precise in your description. If these were separate SPs, there's always a
login required, it just might not prompt. Still a round trip and they know
nothing about each other. Same goes for two applications with discrete
applicationIds on an SP.

> I continue activity in App2 beyond the point where App1 would normally
>have timed out.  I then access App1 by submitting a form.  I do not
>receive a re-authentication login request (expected due to the session
>activity of App2).

I wouldn't expect that at all, thus I don't know what you're doing.

> But the submitted form of App1 is interrupted by the
>postData/postTemplate shibboleth settings.
>Is this an expected result?  I thought the postTemplate would only be
>invoked for re-authentication.

It's invoked to preserve data across a trip to the IdP, that's it. That's
what a SAML SP would term reauthentication.

>I am also having timeout issues.  It seems my session timeout is set to
>30 minutes.  I can use <Sessions timeout=x>  to extend my session to
>longer than 30 minutes, but not shorter.  This seems backward.

Well, it's not true. The timeout will be whatever you set it to, possibly
lowered by a SessionNotOnOrAfter from the IdP in the assertion.

-- Scott

More information about the users mailing list