OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Cross domain session timeouts

Title: Cross domain session timeouts

Answers inline:

Does SAML 2.0 provide any capabilities such as:

1. Prevent session idle timeout at IDP while user is browsing SP site? (keep-alive)

The best way to do this would be to do a re-authentication (e.g. do an additional authnrequest to the IdP to get an updated token).  There are no other means provided.

2. Allow IDP to transmit its session requirements to the SP as part of SAML metadata?
(e.g., "send user back to me for reauthentication after 15 minutes of inactivity")

This is actually carried in the authentication assertion.  The SessionNotOnOrAfter attribute on the AuthnStatement is the place to put this.

3. Allow IDP or SP to register a different URI for session timeout than for a regular single logoff (SLO)?

I don’t understand what you want to do here?  SLO uses the reason code to indicate the reason for the ending of a ssession (so you could have a different reason code to differentiate timeout vs other reasons) but in either case, it means that the specified authn session should be ended (or not allowed to start if it is presented later)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]