We have a SAML2 IDP configured with session inactivity time-out as 30 min. After the Single Sign on the user is successfully logged on into the SP. Now the SP is also configured for SAML Single Logout (SLO). It appears that even as users are working in the SP app, the session time out happens. I was wondering if this is happening due to session inactivity set up @ IDP. I would like to understand how the IDP knows that the user sessions are active @ SP so that it doesnt issue a SLO. Any ideas ?
In most cases IDP implementations don't invoke single logout when IDP's session expires. One of the reasons is that many SP implementations don't support single logout using backend channel (using a SOAP call) and that's the only binding available in this situation.
It is likely that your SP session expires because it follows parameter sessionNotOnOrAfter
which is included in Authentication statement
of Assertion
included in Response
SAML message sent from IDP during single sign on.
So to answer your question - your SP sessions are likely expiring due to settings of your IDP (which define value to be sent in sessionNotOnOrAfter
), but IDP probably doesn't issue single logout and doesn't communicate with your SP in any way (so it's also unaware whether SP session is still used or not).
You might want to look into your SP configuration and see whether you can alter its behavior regarding the sessionNotOnOrAfter
property, or change the value provided from IDP.
This is an educated guess, your environment might be behaving differently than I'm presuming - as Stefan already commented, this behavior is not standardized.
© 2022 - 2024 — McMap. All rights reserved.