| Version 2 (modified by dabantz@…, 10 years ago) (diff) |
|---|
Session lifetime / authentication method lifetime
There are two places in the IdP that control the duration of the SSO session.
see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession —
Lifetime (duration) of the Authentication is determined in handler.xml:
<!-- Username/password login handler -->
<LoginHandler xsi:type="UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthenticationMethod>
</LoginHandler>
The default duration of the authentication is 30 minutes (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)
To change that time, add the optional attribute authenticationDuration inside the handler definition:
<!-- Username/password login handler with 8 hour duration —>
<LoginHandler xsi:type="UsernamePassword"
jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"
authenticationDuration=“480” >
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthenticationMethod>
</LoginHandler>
The session lifetime is determined in the shibboleth.SessionManager bean
from the Shibboleth 2.0 wiki:
The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes.
Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release.
In the xml below, the session lifetime is set at 8 hours (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec):
<bean id="shibboleth.SessionManager"
class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
depends-on="shibboleth.LogbackLogging">
<constructor-arg ref="shibboleth.StorageService" />
<constructor-arg value="28800000" type="long" />
</bean>
