Subject: RE: [saml-dev] Cross domain session timeouts
Does SAML 2.0 provide any capabilities such as:
1. Prevent session idle timeout at IDP while user is browsing SP site? (keep-alive)
The best way to do this would be to do a re-authentication (e.g. do an additional authnrequest to the IdP to get an updated token). There are no other means provided.
2. Allow IDP
to transmit its session requirements to the SP as part of SAML metadata?
This is actually carried in the authentication assertion. The SessionNotOnOrAfter attribute on the AuthnStatement is the place to put this.
3. Allow IDP or SP to register a different URI for session timeout than for a regular single logoff (SLO)?
I don’t understand what you want to do here? SLO uses the reason code to indicate the reason for the ending of a ssession (so you could have a different reason code to differentiate timeout vs other reasons) but in either case, it means that the specified authn session should be ended (or not allowed to start if it is presented later)