Transientid and session timeout

Cantor, Scott cantor.2 at
Mon Feb 19 09:17:14 EST 2018

> So apart from idp.session.timeout, we are wondering what else is
> governing the session timeout?

There isn't any evidence the session has timed out, this is a logout issue, not a timeout issue.

> We are using client side sessions and the transientid is, I believe,
> used to identify these sessions.

The NameID, whatever it is, is what's used, and if it's not a Shibboleth SP, the usual reason is that it's not sending back the right NameID.

> So we are wondering whether there is a
> 60min inherent timeout in the transientids that we are using

Not relevant.

> there is a way that we can influence that? For instance is the
> transientid timeout governed by the idp.authn.defaultLifetime and do we
> need to increase that to get an equivalent increase in the transientid
> timeout?

It's not governed by that and it doesn't relate to this, authentication policy is not connected to the maintenance of data about SP sessions.
idp.session.defaultSPlifetime is really the core property governing this, bounded by the session timeout and slop values. The IdP doesn't know how long the SP will actually hold on to things, which makes it impossible in the general case to do anything but pick a number and use it.

-- Scott

More information about the users mailing list