Previous Topic: Configure Single Sign-on for SAML 2.0Next Topic: Grant Access to the Service for Assertion Retrieval (Artifact SSO)

Federation Security Services GuideConfigure SiteMinder as a SAML 2.0 Identity ProviderConfigure Single Sign-on for SAML 2.0Configure an Assertion for One Time Use

Configure an Assertion for One Time Use

SiteMinder can generate an assertion that is intended for one time use by the relying party, requiring the relying party to request a new assertion each time it needs one. Restricting an assertion to one use helps ensure that authentication decisions are based on current information.

To generate an assertion with a one time use condition

  1. Log on to the FSS Administrative UI.
  2. Select the Service Provider you want to modify or create one.
  3. Navigate to the Advanced tab.
  4. Select the Set OneTimeUse Condition check box.
  5. Click OK.

The asserting party can now generate an assertion that includes the condition element for its one time use.

Customize the Session Duration in the Assertion

When the SiteMinder IdP sends an assertion, by default it includes the SessionNotOnOrAfter parameter in the Authentication statement of the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values. The timeout values determine when a user session becomes invalid, which sends the user to reauthenticate at the IdP.

Important! If SiteMinder is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a SiteMinder SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource.

Note: The SessionNotOnOrAfter parameter is different than the NotOnOrAfter parameter used to determine assertion validity and skew time.

To customize the SessionNotOnOrAfter parameter

  1. Log on to the UI.
  2. Select the Service Provider entry that you want to modify.
  3. Navigate to the Advanced tab.
  4. Select the Customize Validity duration in the Advanced SSO Configuration section of the dialog.

    The Customize Validity duration dialog displays.

  5. Select a value for the SP Session Validity Duration. The value that you enter is the value of the SessionNotOnOrAfter parameter in the assertion.

    The options are:

    Use Assertion Validity

    Calculates the SessionNotOnOrAfter value that is based on the assertion validity duration.

    Omit

    Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.

    IDP Session

    Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.

    Custom

    Lets you specify a custom value for the SessionNotOnOrAfter parameter in the assertion. If you select this option, enter a time in the Customize Assertion Session Duration field.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  6. Click OK to save the changes.