wiki:SSOlifetime
Last modified 6 years ago Last modified on 06/20/14 10:20:27

IAM / Projects / Shibboleth / SSO duration

Session lifetime / authentication method duration

There are two places in the IdP that control the duration of the SSO session.

see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession

Lifetime (duration) of the Authentication is determined in handler.xml:

<!--  Username/password login handler -->
<LoginHandler xsi:type="UsernamePassword"
    jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">

   <AuthenticationMethod>
       urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
   </AuthenticationMethod>

</LoginHandler>

The default duration of the authentication is 30 minutes (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)

To change that time, add the optional attribute authenticationDuration inside the handler definition:

<!--  Username/password login handler with 8 hour duration  —>
<LoginHandler xsi:type="UsernamePassword"
    jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"
    authenticationDuration=“480” >
    
   <AuthenticationMethod>
       urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
   </AuthenticationMethod>

</LoginHandler>

N.B. Adding the Multi-Context Broker (MCB) replaces that handler with an MCB handler
that explicitly sets authenticationDuration as follows:

    <ph:LoginHandler xsi:type="mcb:MultiContextBroker" authenticationDuration="PT8H0M0.000S" previousSession="true"
        depends-on="mcb.Configuration">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ph:AuthenticationMethod>
        <ph:AuthenticationMethod>https://iam.alaska.edu/trac/wiki/mfa</ph:AuthenticationMethod>
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
    </ph:LoginHandler>

The session lifetime is determined in the shibboleth.SessionManager bean

from the Shibboleth 2.0 wiki:

The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes.

Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release.

In the xml below, the session lifetime is set at 8 hours (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec):

<bean id="shibboleth.SessionManager"
          class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
          depends-on="shibboleth.LogbackLogging">
       <constructor-arg ref="shibboleth.StorageService" />
       <constructor-arg value="28800000" type="long" />
</bean>