Grouper Users - Open Discussion List

[Bryan Wooten <>]

I agree with Chris 100%.

 

I think this is an institutional / policy issue.

 

So many meetings/questions re: timeout. CAS vs. Shib. vs. individual applications (Cloud / Peoplesoft / custom in house). Oh, and let’s add “remember me” and MFA. Sorry, let’s add password change policies to the mix.

 

Between CAS and Shib we have over 1000 servers and probably 1500+ applications, there is no way I can herd all those cats.

 

I get confused between my social/entertainment sites, my bank and work… We are all just users that want consistency. Or at least sanity.

 

-Bryan

 

From: <> on behalf of Chris Hyzer <>
Reply-To: Chris Hyzer <>
Date: Friday, June 7, 2019 at 3:47 PM
To: "" <>
Subject: [Ext] [grouper-users] Grouper UI default timeout in ITAP container

 

WARNING: Stop. Think. Read. This is an external email.

There are three timeouts at play in the Grouper UI with the ITAP container:

 

1. The tomcat java session inactivity timeout (current default config is 30 min)
2. The Shib SP timeout inactivity timeout (current default config is 8 hours)
   1. The Shib SP session session lifetime (current default config is 8 hours)
3. The SSO IdP timeout (configured at each institution, my gut feeling is this is >= 1 hour generally)

 

Ive had complaints about 30 min sessions being too short.

 

In my mind, the current configuration does not make sense.  If the tomcat session dies in 30 minutes, the shib SP session will start another one (since active for 8 hours).  But whatever the person was working on will be interrupted and a potential CSRF error will occur.  I think the tomcat session should equal the shib SP session.  If the shib/tomcat is 30 minutes, and the typical SSO/Idp session is >= 60 minutes, then again the user is disrupted of their session, they do not need to login, but might experience an error.

 

We discussed this on slack, and I recommend we change the *default* shibSP / tomcat timeout to 60 minutes.  The 8 hour SP session lifetime should not change. In addition we will document how to overlay adjustments to the config. 

 

Also, btw, Matt Black suggested in jira that we change the UI to show a message about session timeout (so you aren’t surprised the next time you click) which I agree with and we can see if we can get something simple to work before too long.

 

Let us know any thoughts about this change.  😊

 

Thanks!