SAML2 IDP session timeout and SLO

session-timeout saml-2.0
19,845

In most cases IDP implementations don't invoke single logout when IDP's session expires. One of the reasons is that many SP implementations don't support single logout using backend channel (using a SOAP call) and that's the only binding available in this situation.

It is likely that your SP session expires because it follows parameter sessionNotOnOrAfter which is included in Authentication statement of Assertion included in Response SAML message sent from IDP during single sign on.

So to answer your question - your SP sessions are likely expiring due to settings of your IDP (which define value to be sent in sessionNotOnOrAfter), but IDP probably doesn't issue single logout and doesn't communicate with your SP in any way (so it's also unaware whether SP session is still used or not).

You might want to look into your SP configuration and see whether you can alter its behavior regarding the sessionNotOnOrAfter property, or change the value provided from IDP.

This is an educated guess, your environment might be behaving differently than I'm presuming - as Stefan already commented, this behavior is not standardized.

Share:
19,845
mithrandir
Author by

mithrandir

Updated on June 17, 2022

Comments

  • mithrandir
    mithrandir about 2 years

    We have a SAML2 IDP configured with session inactivity time-out as 30 min. After the Single Sign on the user is successfully logged on into the SP. Now the SP is also configured for SAML Single Logout (SLO). It appears that even as users are working in the SP app, the session time out happens. I was wondering if this is happening due to session inactivity set up @ IDP. I would like to understand how the IDP knows that the user sessions are active @ SP so that it doesnt issue a SLO. Any ideas ?

  • mithrandir
    mithrandir almost 10 years
    That makes sense. I'll check that. Regarding your first statement, do you mean to say that the SLO is always executed via back-channel ? In the current case I am using front-end SSO using SAML web-profile. My SP has a SLO end-point to which an HTTP post / redirect can be done.
  • Vladimír Schäfer
    Vladimír Schäfer almost 10 years
    No, what I mean is that when IDP's session expires the only binding which can be used to deliver SLO to SPs is through back-channel. The expiration happens in situation when user typically isn't interacting with the IDP and IDP therefore cannot use front-end binding, as that would require availability of the user agent (= web brower). Of course when user explicitly invokes single logout (= not during expiration, but by e.g. clicking a logout button) IDPs and SPs can use front-channel bindings to execute it.
  • mithrandir
    mithrandir almost 10 years
    Makes sense !! Thanks for the clarification.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

recognizing session timeout
"Signature did not validate against the credential's key" with Junos as IdP
Keycloak "Unexpected error when handling authentication request to identity provider"
Steps to implement SSO for php application
Spring security Saml - Time difference between SP and IDP
Session Time Out in Asp.net 4.0 on IIS 7.5
Jetty 8 set "session-timeout" without web.xml?
SAML 2.0 based Authentication for iPhone application
Is there a way to provide SAML sp implementation using an Apache filter?
how to end session or logout a user on browser close MVC ASP .NET