Versions Compared

Old Version 18

changes.mady.by.user Thomas Doan

Saved on

compared with

New Version 19

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An IdP session is created by default (idp.session.enabled=true) upon a successful authentication event. The IdP session uses a sliding window expiration policy that is updated under one of two conditions:

  1. An existing authentication result stored in the session is used to satisfy security demands made by an SP.

  2. A new authentication result is created from a successful user authentication event in order to satisfy security demands made by an SP. The new result is also stored in the session.

Thus the IdP session tracks all authentication events that occur during the lifetime of the session, represented by objects of type AuthenticationResult. When theĀ idp.session.trackSPSessions flag is enabled, the IdP session also tracks successful requests to access SPs, represented by objects of the base interface SPSession; this facility is required to support single logout.

...

IdP sessions are by default bound to an "address" in order to prevent trivial session takeover simply through session cookie exposure. This can be disabled via the Idp.session.consistentAddress property or relaxed in various ways through the idp.session.consistentAddressCondition extension pointrelaxed in various ways through the iidp.sessp.sessioon.c.connsiistententAddAddressCessCondinditionion ext extennsion p poiint. It it. It is deeply ill-adv deeply ill-advised ed to simply disable this checking entirely o simply disable this checking entiirely and it ily and it is deeply un deeply unsafe to afe to operate perate networks that hietworks that hide a plethora of cle a plethora of clients clienents behs behind a sind a single address.gle address.

The session address binding layer supports simultaneous binding of sessions to both IPv4 and IPv6 addresses so clients may use both types and float between them.

...

In many cases an SSO deployment must satisfy policy requirements around how frequently users must reauthenticate. There are three properties that generally determine authentication frequency:

  1. idp.session.timeout (default PT60M)

  2. idp.authn.defaultLifetime (default PT60M)

  3. idp.authn.defaultTimeout (default PT30M)

Tip

Note that the latter two, being authentication-related were moved to conf/authn/authn.properties in V4.1+, but may remain in idp.properties on upgraded systems. The exact location doesn't matter, all properties are loaded as a set.

Under the default configuration, user authentication occurs hourly except in cases where the IdP session (and thus any contained authentication result) is idle for more than 30 minutes. Note that some authentication methods may be non-interactive such that users don't actually have to explicitly provide credentials (IPAddress, X509Internal), but an authentication event is nonetheless occurring hourly under the default configuration.

...