SAML2 IDP session timeout and SLO
Asked Answered
S

1

8

We have a SAML2 IDP configured with session inactivity time-out as 30 min. After the Single Sign on the user is successfully logged on into the SP. Now the SP is also configured for SAML Single Logout (SLO). It appears that even as users are working in the SP app, the session time out happens. I was wondering if this is happening due to session inactivity set up @ IDP. I would like to understand how the IDP knows that the user sessions are active @ SP so that it doesnt issue a SLO. Any ideas ?

Symptomatic answered 26/7, 2014 at 2:34 Comment(2)
I would say that this is not really a part of the SAML spec and depends on how your idp is build, what software are you using for IDP?Furuncle
Currently I am testing this with MS ADFS. However the session time out for IDP was a more general question !!Symptomatic
P
9

In most cases IDP implementations don't invoke single logout when IDP's session expires. One of the reasons is that many SP implementations don't support single logout using backend channel (using a SOAP call) and that's the only binding available in this situation.

It is likely that your SP session expires because it follows parameter sessionNotOnOrAfter which is included in Authentication statement of Assertion included in Response SAML message sent from IDP during single sign on.

So to answer your question - your SP sessions are likely expiring due to settings of your IDP (which define value to be sent in sessionNotOnOrAfter), but IDP probably doesn't issue single logout and doesn't communicate with your SP in any way (so it's also unaware whether SP session is still used or not).

You might want to look into your SP configuration and see whether you can alter its behavior regarding the sessionNotOnOrAfter property, or change the value provided from IDP.

This is an educated guess, your environment might be behaving differently than I'm presuming - as Stefan already commented, this behavior is not standardized.

Prosperity answered 27/7, 2014 at 18:53 Comment(2)
That makes sense. I'll check that. Regarding your first statement, do you mean to say that the SLO is always executed via back-channel ? In the current case I am using front-end SSO using SAML web-profile. My SP has a SLO end-point to which an HTTP post / redirect can be done.Symptomatic
No, what I mean is that when IDP's session expires the only binding which can be used to deliver SLO to SPs is through back-channel. The expiration happens in situation when user typically isn't interacting with the IDP and IDP therefore cannot use front-end binding, as that would require availability of the user agent (= web brower). Of course when user explicitly invokes single logout (= not during expiration, but by e.g. clicking a logout button) IDPs and SPs can use front-channel bindings to execute it.Thicket

© 2022 - 2024 — McMap. All rights reserved.