wiki:SSOlifetime

Version 2 (modified by dabantz@…, 11 years ago) (diff)

--

Session lifetime / authentication method lifetime

There are two places in the IdP that control the duration of the SSO session.

see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession

Lifetime (duration) of the Authentication is determined in handler.xml:

<!--  Username/password login handler -->
<LoginHandler xsi:type="UsernamePassword"
    jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config">

   <AuthenticationMethod>
       urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
   </AuthenticationMethod>

</LoginHandler>

The default duration of the authentication is 30 minutes (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)

To change that time, add the optional attribute authenticationDuration inside the handler definition:

<!--  Username/password login handler with 8 hour duration  —>
<LoginHandler xsi:type="UsernamePassword"
    jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"
    authenticationDuration=“480” >
    
   <AuthenticationMethod>
       urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
   </AuthenticationMethod>

</LoginHandler>

The session lifetime is determined in the shibboleth.SessionManager bean

from the Shibboleth 2.0 wiki:

The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes.

Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release.

In the xml below, the session lifetime is set at 8 hours (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec):

<bean id="shibboleth.SessionManager"
          class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
          depends-on="shibboleth.LogbackLogging">
       <constructor-arg ref="shibboleth.StorageService" />
       <constructor-arg value="28800000" type="long" />
</bean>