timeout settings

Lohr, Donald lohrda at jmu.edu
Wed Mar 25 17:09:58 EDT 2020

A follow-up question to this thread.

Say the IdP authn.defaultTimeout is set to 30 minutes and 
authn.defaultLifetime is set to 90 minutes.

If I first login to SP1 at 10:00:00am - the authn.defaultTimeout timer 
starts and will prompt me to login again at 10:30:00am.

What if I login to SP2 at 10:29:30, does the authn.defaultTimeout timer 
restart, giving me another 30 minute window, etc and etc until I reach 
the end of the authn.defaultLifetime 90 minute window.


On 6/20/19 1:55 PM, Cantor, Scott wrote:
> On 6/20/19, 1:46 PM, "users on behalf of IAM David Bantz" <users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
>> I didn't know this. Can you provide hints on where in Shibb documentation to find more about this ability - or potentially
>> blocking SSO itself by IP address for labs?
> The reuseCondition property of the AuthenticationFlowDescriptor objects in general-authn.xml governs reuse of a method regardless of timeouts or any other criteria. It was put there partly for other reasons but a side effect is that it makes all of it dynamically controllable.
> The ForceAuthn flag is also overrideable now by profile configuration / relying party, which means it's also pluggable with a strategy function that can make decisions based on more than just the service if it has to. I'll have to see if I updated the profile configuration summaries that mention a lot of the common options with that.
> On top of that the MFA scripting engine has full control anyway so it can forcibly do whatever it wants in the end.
> -- Scott

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

More information about the users mailing list