OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Identity Provider Session Timeout


I’m implementing SSO and SLO with SAML.  What I don’t know is:


At some point the user may wish to quit the browser and, even though the cookie is deleted, the session will remain active.. I thought of implementing a session timeout (after like 30min of idle or simply maximum session time of 120 minutes on the IdP)..


The problem is.. imagine IdP , SP A and SP B… the user logs in to IdP and then accesses SP A.. after 3 hours he goes to SP B and requests SSO.. but since 3 hours is over the timeout, the session had already been terminated at the IdP so he cannot SSO.. my question is: is this normal? What behavior should be used in these situations?


Thank you

Filipa Moura


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]