Shibboleth Developers

["Scott Cantor" <>]

Kristof BAJNOK wrote on 2009-07-15:
> BTW, is there a way for the IdP to insert SessionNotOnOrAfter into the
> AuthnStatement to control SP session lifetime?

maximumSPSessionLifetime

If you want to know what the IdP can do, I advise looking at the schemas and 
the annotations on the settings there.

> So a federation that wants to 'support' SLO needs at least mandate the
> minimum length of inactivity timeout in the IdPs to be longer than the
> maximum allowed SP session lifetime. Good to write up on the post-it of
> requirements. Why am I thinking it's not the last one?

I wouldn't really term it IdP inactivity timeout, since one doesn't really 
see inactivity timeouts on that end. It's just a session lifetime.

> Thanks for the clarification. I really appreciate your help with
> our 'guerilla' development. I know that supporting users is not as bad as
> dealing with friendly developers. ;)

That may depend on the person, I'd rather answer development questions all 
day.

-- Scott