Version 6 (modified by dabantz@…, 11 years ago) (diff) |
---|
IAM / Projects / Shibboleth / SSO duration
Session lifetime / authentication method duration
There are two places in the IdP that control the duration of the SSO session.
see https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthnSession —
Lifetime (duration) of the Authentication is determined in handler.xml:
<!-- Username/password login handler --> <LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config"> <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>
The default duration of the authentication is 30 minutes (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass)
To change that time, add the optional attribute authenticationDuration inside the handler definition:
<!-- Username/password login handler with 8 hour duration —> <LoginHandler xsi:type="UsernamePassword" jaasConfigurationLocation="file:///opt/shibboleth-idp/conf/login.config" authenticationDuration=“480” > <AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthenticationMethod> </LoginHandler>
N.B. Adding the Multi-Context Broker (MCB) replaces that handler with an MCB handler
that explicitly sets authenticationDuration as follows:
<ph:LoginHandler xsi:type="mcb:MultiContextBroker" authenticationDuration="PT8H0M0.000S" previousSession="true" depends-on="mcb.Configuration"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ph:AuthenticationMethod> <ph:AuthenticationMethod>https://iam.alaska.edu/trac/wiki/mfa</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod> </ph:LoginHandler>
The session lifetime is determined in the shibboleth.SessionManager bean
from the Shibboleth 2.0 wiki:
The session lifetime is configured in the IDP_HOME/conf/internal.xml file. Locate the shibboleth.SessionManager bean. Its second constructor argument is the inactivity timeout, in milliseconds, for the session. By default it is 30 minutes.
Admittedly, this is a totally confusing and poorly represented setting. It will be changed in a future release.
In the xml below, the session lifetime is set at 8 hours (480 min x 60 sec/min x 1000 msec/sec = 28800000 msec):
<bean id="shibboleth.SessionManager" class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl" depends-on="shibboleth.LogbackLogging"> <constructor-arg ref="shibboleth.StorageService" /> <constructor-arg value="28800000" type="long" /> </bean>