Transientid and session timeout

Julian Williams julian.williams at
Mon Feb 19 07:12:39 EST 2018

Hi Shibboleth users,

We have an interesting problem with our Shibboleth IdP v3.2 where
increasing the session timeout (idp.session.timeout) above 60min doesn't
seem to be having the expected effect. We'd like it to be 8 hours but
having set this in we are still getting errors like that
below when a SLO request happens 60min after the logon:

2018-02-13 21:08:44,628 - INFO
[net.shibboleth.idp.saml.saml2.profile.impl.ProcessLogoutRequest:315] -
Profile Action ProcessLogoutRequest: No active session(s) found matching
2018-02-13 21:08:44,639 - WARN
[org.opensaml.profile.action.impl.LogEvent:76] - An error event occurred
while processing the request: SessionNotFound
2018-02-13 21:08:44,771 - INFO [Shibboleth-Audit.Logout:242] -

In our environment both idp.authn.defaultLifetime and
idp.authn.defaultTimeout are not changed from the default values, 60 &
30min respectively according to the docs[0]. So we'd still expect
re-authentication after 60min but this hidden from the users in our
environment as we have Shibboleth sitting on top of another SSO layer
that uses Stanford WebAuth which has a much longer SSO session. So
currently the 60min session timeout is only causing a problem for SLO

So apart from idp.session.timeout, we are wondering what else is
governing the session timeout?

We are using client side sessions and the transientid is, I believe,
used to identify these sessions. So we are wondering whether there is a
60min inherent timeout in the transientids that we are using and whether
there is a way that we can influence that? For instance is the
transientid timeout governed by the idp.authn.defaultLifetime and do we
need to increase that to get an equivalent increase in the transientid

Or is there something else at play here?

Any help much appreciated.




Julian Williams (Systems Developer, Identity and Access Management)
IT Services, University of Oxford

More information about the users mailing list