...
Authentication
The IdP uses items software components called LoginHandlers to authenticate a userusers. Each LoginHandler is responsible for being able to perform performing one , or more , type types of authentication process. Some examples processes would be to . For example, there might be authentication processes that validate a username/password against an LDAP directory, validate an X.509 certificate, or check a one-time-password. Each LoginHandler has associated with it an authentication method duration. The duration identifies the amount of time, after initial authentication, that this method may be used to single automatically sign - on a user in to (i.e., SSO) to the service. Once that amount of time passes, the user must authenticate again in order to use that particular authentication method.
...
The user session tracks information about the user (e.g., what authentication methods are currently active, to which services has the user authenticated to, etc.). This information is used by the IdP to determine whether a user should be single sign-on'ed to a service provider (if they have an active authentication method), to determine SSO should take place, which services should receive logout requests (once the IdP has supports SLO support), and so forth, and may be used within the attribute resolver and the attribute filtering process. A session also has an inactivity timeout . This timeout that is reset any time the user is authenticated to a service provider.
...
The relationship between authentication method duration and session lifetime can be confusing. The session controls the overall lifetime of the user's interaction with the IdP. That is, if the session is terminated (e.g., because it timed out) the authentication method duration is irrelevant. All methods are terminated with the session.
Here's an example. The IdP has configured a session lifetime of 8 hours 8 hours (up from the default of 30 minutes30 minutes). It has two LoginHandlers configured. One performs username/password (UP) authentication and has a duration of 1 hour1 hour. The other performs X.509 authentication and has a duration of 15 minutes15 minutes. The user logs in to SP 1 SP1 and authenticates to the IdP via the UP LoginHandler. The user then logs in to SP 2 SP2 and authenticates to the SP via the X.509 LoginHandler. The user goes for a tea and comes back in 20 minutes20 minutes.
Now, Next the user goes tries to log in to SP 4 which would SP4, which happens to require X.509 authentication. The user is asked to re-authenticate because the authentication method duration has passed (it was only 15 mins15 mins) for that LoginHandler. The user goes to log Then the user logs in to SP 5 which would require SP5, which requires UP authentication. The In this case, the user is not prompted to re-authenticate because the authentication duration has not passed for this authentication method.
Now , assume that the UP login method has a 10 hour 10 hour authentication duration. The user goes to SP 1 and uses SP1, logs in with UP authentication, and then goes to bed and sleeps a nice 9 hoursfull 9 hours. After the user wakes up, he goes to SP 5 SP5, which requires UP authentication, and is asked to re-authenticate. In this case, it is re-authentication occurs not because the authentication method duration has passed but because the session was terminated due to inactivity, and , thus, terminated therefore all authentication methods have been terminated.