| | 1 | |
| | 2 | === Session lifetime / authentication method lifetime === |
| | 3 | |
| | 4 | There are two places in the IdP that control the duration of the SSO session. |
| | 5 | |
| | 6 | see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession |
| | 7 | — |
| | 8 | |
| | 9 | ==== Lifetime (duration) of the Authentication is determined in handler.xml: ==== |
| | 10 | |
| | 11 | |
| | 12 | {{{ |
| | 13 | <!-- Username/password login handler --> |
| | 14 | <LoginHandler xsi:type="UsernamePassword" |
| | 15 | jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> |
| | 16 | |
| | 17 | <AuthenticationMethod> |
| | 18 | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
| | 19 | </AuthenticationMethod> |
| | 20 | |
| | 21 | </LoginHandler> |
| | 22 | |
| | 23 | }}} |
| | 24 | |
| | 25 | |
| | 26 | |
| | 27 | ''The default duration of the authentication is 30 minutes'' |
| | 28 | (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass) |
| | 29 | |
| | 30 | To change that time, add the optional attribute authenticationDuration |
| | 31 | inside the handler definition: |
| | 32 | |
| | 33 | |
| | 34 | {{{ |
| | 35 | <!-- Username/password login handler with 8 hour duration —> |
| | 36 | <LoginHandler xsi:type="UsernamePassword" |
| | 37 | jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config" |
| | 38 | authenticationDuration=“480” > |
| | 39 | |
| | 40 | <AuthenticationMethod> |
| | 41 | urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
| | 42 | </AuthenticationMethod> |
| | 43 | |
| | 44 | </LoginHandler> |
| | 45 | |
| | 46 | }}} |
| | 47 | |
| | 48 | ==== The session lifetime is determined in the shibboleth.!SessionManager bean ==== |
| | 49 | |
| | 50 | from the Shibboleth 2.0 wiki: |
| | 51 | |
| | 52 | The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.!SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes. |
| | 53 | |
| | 54 | Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release. |
| | 55 | |
| | 56 | In the xml below, the session lifetime is set at 8 hours |
| | 57 | (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec): |
| | 58 | {{{ |
| | 59 | <bean id="shibboleth.SessionManager" |
| | 60 | class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl" |
| | 61 | depends-on="shibboleth.LogbackLogging"> |
| | 62 | <constructor-arg ref="shibboleth.StorageService" /> |
| | 63 | <constructor-arg value="28800000" type="long" /> |
| | 64 | </bean> |
| | 65 | }}} |
