[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: reuse condition vs. maximumTimeSinceAuthn
From:       "Cantor, Scott via users" <users () shibboleth ! net>
Date:       2024-03-20 13:28:17
Message-ID: 9EA1E5DD-D758-4DAC-BAFF-5C8E90132210 () osu ! edu
[Download RAW message or body]

> But that would be plan b, since maximumTimeSinceAuthn sounds exactly like what I
> need. 

It's not, that's a SAML proxy setting equivalent to the same setting in the SP (as \
the IdP is operating as one when it proxies). It controls validation based on the \
AuthnInstant in the assertion.

There is, in point of fact, no such thing in the IdP as a "session lifetime", only \
sliding windows based on inactivity. The relevant setting is the authentication flow \
result lifetime (or timeout), which the reuseCondition overrides/supplements, and \
that's not at the session level, it's at the individual flow result level.

-- Scott


-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]