You can manage the duration of the authentication session at the Service Provider. The SessionNotOnOrAfter attribute is an optional attribute that the IdP can include in the <AuthnStatement> of an assertion.
Note: The SessionNotOnOrAfter parameter is different from the NotOnOrAfter parameter, which determines how long the assertion is valid.
The value of determining session duration is to prevent a user from authenticating again if the session at the SP is too brief. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values, helping to ensure that sessions are not too short. If a user session becomes invalid, the user has to reauthenticate at the Identity Provider. To create a seemless experience for the user, manage the sessions at the SP accordingly.
The following graphic shows the configuration steps at the IdP and the resulting action that the third-party SP takes.
|
Copyright © 2013 CA.
All rights reserved.
|
|