Versions Compared

Old Version 2

changes.mady.by.user Marvin Addison

Saved on

compared with

New Version 3

changes.mady.by.user Marvin Addison

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add advanced session config example

...

Under the default configuration, user authentication occurs hourly except in cases where the IdP session is idle for more than 30 minutes. Note that some authentication methods may be non-interactive such that users don't actually have to explicitly provide credentials (IPAddress, X509Internal), but an authentication event is nonetheless occurring hourly under the default configuration.

Simple Security Policy Example

An example may be helpful in further clarifying how session configuration defines security policy around user authentication. Suppose a deployer wants to implement the following security policy:

  • Users must authenticate at least once daily.
  • An IdP session may remain idle at most for 60 minutes.
Code Block
languagejavabash
titleSample Security Policyconf/idp.properties
# IDP session must be at _least_ as long as authn result lifetime
idp.session.timeout=PT24H
 
# Authentication results live for at most 24 hours
idp.authn.defaultLifetime=PT24H
 
# Authentication results may be idle for at most 60 minutes
idp.authn.defaultTimeout=PT60M

Advanced Security Policy Example

In some cases it may be permissible to allow some authentication methods to have longer lifetimes than others; for example, an authentication result produced by a hardware token may be valid for a day whereas that of a password credential is valid for an hour. These policies are accommodated by defining a conservative idp.authn.defaultLifetimeand more liberal periods for specific authentication methods. A hypothetical security policy follows with the configuration required to implement it.

  • Users must authenticate every hour using a password credential
  • Users must authenticate daily using a hardware token containing an X.509 certificate
  • An IdP session may be idle for at most 60 minutes under any circumstances
Code Block
languagebash
titleconf/idp.properties
 # IDP session must be at _least_ as long as authn result lifetime
idp.session.timeout=PT24H
 
# Conservative default authentication result lifetime is 60 minutes
idp.authn.defaultLifetime=PT60M
 
# Defines idle time on authentication results. Not overridden per authn method in this case.
idp.authn.defaultTimeout=PT60M
Code Block
languagexml
titleconf/authn/general-authn.xml
    <util:list id="shibboleth.AvailableAuthenticationFlows">
        <bean id="authn/Password" parent="shibboleth.AuthenticationFlow"
                p:passiveAuthenticationSupported="true"
                p:forcedAuthenticationSupported="true" />

        <bean id="authn/X509" parent="shibboleth.AuthenticationFlow"
                p:forcedAuthenticationSupported="true"
                p:nonBrowserSupported="false"
                p:lifetime="PT24H">
            <property name="supportedPrincipals">
                <util:list>
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="http://id.incommon.org/assurance/silver" />
                    <bean parent="shibboleth.SAML2AuthnContextClassRef"
                        c:classRef="http://id.incommon.org/assurance/bronze" />
                </util:list>
            </property>
        </bean>
    </util:list>