This section contains the following topics:
How to Manage the Authentication Session Duration at a Service Provider
You can manage the duration of the authentication session at the Service Provider. The SessionNotOnOrAfter attribute is an optional attribute that the IdP can include in the <AuthnStatement> of an assertion.
Note: The SessionNotOnOrAfter parameter is different from the NotOnOrAfter parameter, which determines how long the assertion is valid.
The value of determining session duration is to prevent a user from authenticating again if the session at the SP is too brief. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values, helping to ensure that sessions are not too short. If a user session becomes invalid, the user has to reauthenticate at the Identity Provider. To create a seemless experience for the user, manage the sessions at the SP accordingly.
The following graphic shows the configuration steps at the IdP and the resulting action that the third-party SP takes.
The configuration for session duration is done at the IdP. The assertion sent to the SP includes the session attribute that the SP uses to set timeout values for SP site.
Important! If CA SiteMinder® Federation Standalone is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, the SP sets session timeouts from the realm timeout that corresponds to the SAML authentication scheme protecting the target resource.
Follow these steps:
Note: Click Help for a description of fields, controls, and their respective requirements.
Based on the configuration, a session attribute is placed in the assertion and sent to the SP.
|
Copyright © 2014 CA.
All rights reserved.
|
|