Previous Topic: SAML 2.0 Entities Allowed to Initiate Single Sign-onNext Topic: Back Channel Authentication for Artifact SSO

Federation GuidesPartnership Federation GuideSingle Sign-on ConfigurationSession Validity at a Service Provider

Session Validity at a Service Provider

You can manage the duration of the authentication session at the Service Provider. The SessionNotOnOrAfter attribute is an optional attribute that the IdP can include in the <AuthnStatement> of an assertion. The configuration for session validity is done at the IdP.

Note: The SessionNotOnOrAfter parameter is different from the NotOnOrAfter parameter, which determines how long the assertion is valid.

A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values, helping to ensure that sessions are not too short. If a user session becomes invalid, the user has to reauthenticate at the Identity Provider.

Important! If CA SiteMinder® is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a CA SiteMinder® SP sets session timeouts from the realm timeout that corresponds to the SAML authentication scheme protecting the target resource.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select the IdP->SP partnership you want to modify.
  3. Navigate to the SSO and SLO step.
  4. In the SSO section, select the option for the SP Session Validity Duration. If you select the customize option, you can select several options.

    Click Help for the field descriptions.

  5. Select the Confirm step after you complete your changes and click Finish.