Version 3 (modified by dabantz@…, 11 years ago) (diff) |
---|
Session lifetime / authentication method duration
There are two places in the IdP that control the duration of the SSO session.
see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession —
Lifetime (duration) of the Authentication is determined in handler.xml:
<!-- Username/password login handler --> <LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>
The default duration of the authentication is 30 minutes (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)
To change that time, add the optional attribute authenticationDuration inside the handler definition:
<!-- Username/password login handler with 8 hour duration —> <LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config" authenticationDuration=“480” > <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>
The session lifetime is determined in the shibboleth.SessionManager bean
from the Shibboleth 2.0 wiki:
The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes.
Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release.
In the xml below, the session lifetime is set at 8 hours (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec):
<bean id="shibboleth.SessionManager" class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl" depends-on="shibboleth.LogbackLogging"> <constructor-arg ref="shibboleth.StorageService" /> <constructor-arg value="28800000" type="long" /> </bean>