Transientid and session timeout

Julian Williams julian.williams at
Mon Feb 19 08:01:04 EST 2018

On 19/02/18 12:24, Peter Schober wrote:
> * Julian Williams <julian.williams at> [2018-02-19 13:13]:
>> In our environment both idp.authn.defaultLifetime and
>> idp.authn.defaultTimeout are not changed from the default values, 60 &
>> 30min respectively according to the docs[0]. So we'd still expect
>> re-authentication after 60min but this hidden from the users in our
>> environment as we have Shibboleth sitting on top of another SSO layer
>> that uses Stanford WebAuth which has a much longer SSO session. So
>> currently the 60min session timeout is only causing a problem for SLO
>> requests.
> Did you change this setting in
> # Extra time to store sessions for logout
> #idp.session.slop = PT0S

Yes we do seem to have also changed that in the environment we are
testing this with:

idp.session.slop = PT60M

I had noticed that before but thought that this value acted in addition
to the idp.session.timeout which we have set to 8 hours:

idp.session.timeout = PT8H



Julian Williams (Systems Developer, Identity and Access Management)
IT Services, University of Oxford

More information about the users mailing list