SAML2 IDP session timeout and SLO

mithrandir picture mithrandir · Jul 26, 2014 · Viewed 16.6k times · Source

We have a SAML2 IDP configured with session inactivity time-out as 30 min. After the Single Sign on the user is successfully logged on into the SP. Now the SP is also configured for SAML Single Logout (SLO). It appears that even as users are working in the SP app, the session time out happens. I was wondering if this is happening due to session inactivity set up @ IDP. I would like to understand how the IDP knows that the user sessions are active @ SP so that it doesnt issue a SLO. Any ideas ?

Answer

Vladimír Schäfer picture Vladimír Schäfer · Jul 27, 2014

In most cases IDP implementations don't invoke single logout when IDP's session expires. One of the reasons is that many SP implementations don't support single logout using backend channel (using a SOAP call) and that's the only binding available in this situation.

It is likely that your SP session expires because it follows parameter sessionNotOnOrAfter which is included in Authentication statement of Assertion included in Response SAML message sent from IDP during single sign on.

So to answer your question - your SP sessions are likely expiring due to settings of your IDP (which define value to be sent in sessionNotOnOrAfter), but IDP probably doesn't issue single logout and doesn't communicate with your SP in any way (so it's also unaware whether SP session is still used or not).

You might want to look into your SP configuration and see whether you can alter its behavior regarding the sessionNotOnOrAfter property, or change the value provided from IDP.

This is an educated guess, your environment might be behaving differently than I'm presuming - as Stefan already commented, this behavior is not standardized.