Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Steps towards SLO

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Steps towards SLO


Chronological Thread 
  • From: Kristof BAJNOK <>
  • To:
  • Subject: Re: [Shib-Dev] Steps towards SLO
  • Date: Wed, 15 Jul 2009 21:07:00 +0200
  • Organization: NIIF Institute

On Wednesday 15 July 2009 Scott Cantor wrote:
> >>> association forever. If the SP session could be limited to be shorter
> >>> than the IdP session, that would be sufficient, but AFAIK there is no
> >>> limit in the SP session lifetime provided that there is regular user
> >>> activity.
>
> That's what SessionNotOnOrAfter is for. It is not true that user activity
> indefinitely extends the session. That's a "lifetime" issue. Activity
> affects timeout behavior only. SessionNotOnOrAfter caps the session
> lifetime.

Yup, I'd better check the docs closer next time... :/

BTW, is there a way for the IdP to insert SessionNotOnOrAfter into the
AuthnStatement to control SP session lifetime?

So a federation that wants to 'support' SLO needs at least mandate the
minimum length of inactivity timeout in the IdPs to be longer than the
maximum allowed SP session lifetime. Good to write up on the post-it of
requirements. Why am I thinking it's not the last one?

Thanks for the clarification. I really appreciate your help with
our 'guerilla' development. I know that supporting users is not as bad as
dealing with friendly developers. ;)
Kristof
--
Kristof BAJNOK
Systems Engineer / Middleware
NIIF / Hungarnet
Hungary



Archive powered by MHonArc 2.6.16.

Top of Page