The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Current File(s): conf/idp.properties, conf/authn/general-authn.xml

Format: Properties, Native Spring

Overview

An IdP session is created by default (idp.session.enabled=true) upon a successful authentication event. The IdP session uses a sliding window expiration policy that is updated under one of two conditions:

  1. An existing authentication result stored in the session is used to satisfy security demands made by an SP.
  2. A new authentication result is created from a successful user authentication event in order to satisfy security demands made by an SP. The new result is also stored in the session.

Thus the IdP session tracks all authentication events that occur during the lifetime of the session. When the idp.session.trackSPSessionsflag is enabled, the IdP session also tracks successful requests to access SPs; this facility is required to support single logout. The IdP session stores authentication results keyed on the ID of the authentication flow that drives the authentication process. The consequence of this design is that a subsequent invocation of the same authentication flow, for example in response to a forced authentication request, would overwrite a previous result of the same flow. Authentication results stored in the IdP session are themselves subject to expiration by a sliding window up to an absolute limit. If an SP makes a request to the IdP and there is no active authentication result that satisfies the security demands of the SP, the user is forced to reauthenticate.

Security Policy Implications of Session Timeouts

In many cases an SSO deployment must satisfy security policy requirements around how frequently users must reauthenticate. There are three properties that generally determine authentication frequency:

  1. idp.session.timeout (default PT60M)
  2. idp.authn.defaultLifetime (default PT60M)
  3. idp.authn.defaultTimeout (default PT30M)

Under the default configuration, user authentication occurs hourly. Note that some authentication methods may be non-interactive such that users don't actually have to explicitly provide credentials (IPAddress, X509Internal), but an authentication event is nonetheless occurring hourly under the default configuration.

  • No labels