|
|
|
When the SiteMinder IdP sends an assertion, by default it includes the SessionNotOnOrAfter parameter in the Authentication statement of the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values to determine if a user session becomes invalid and the user has to reauthenticate at the IdP.
Important! If SiteMinder is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a SiteMinder SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource.
Note: The SessionNotOnOrAfter parameter is different than the NotOnOrAfter parameter used to determine assertion validity and skew time.
To customize the SessionNotOnOrAfter parameter
The Customize Validity duration dialog displays.
The options are:
Calculates the SessionNotOnOrAfter value based on the assertion validity duration.
Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
Calculates the SessionNotOnOrAfter value based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL . Using this option can synchronize the IdP and SP session timeout values.
Lets you specify a custom value for the SessionNotOnOrAfter parameter in the assertion. If you select this option, enter a time in the SAML_SP_CUSTOM_TIME_OUT property.
Note: Click Help for a description of fields, controls, and their respective requirements.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |