Reputation: 121
We are using Spring SAML extension to provide support for SSO to our customers. Its working fine with our dev environment IDP(okta). However, one of our client is using Tivoli as IDP and we are running into a problem where after certain amount of time, user will start getting unable to authenticate error.
Based on the research we found out that, Tivoli is setting SessionNotOnOrAfter
attribute for
<saml:AuthnStatement AuthnInstant="2015-09-14T20:14:14Z" SessionIndex="xxxx" SessionNotOnOrAfter="2015-09-14T21:14:14Z">
in our SAML assertion response.
I would like to know what are the options do we have as SP to handle this scenario. Should we prompting user to re-authenticate themselves whenever they run into an issue or is there are way where we can set up our application in a certain way so that it can refresh session automatically.
Thanks Sahil
Upvotes: 0
Views: 2091
Reputation: 61
This SessionNotOnOrAfter attribute will expiry the Payload. The SP should not receive the same Payload for ever If so there will be lot of chance for middle man attack.
The SP should implement the KeepAlive functionality to ping back the IDP saying that extend the session of the same payload.So IDP can update this attribute with current data and time stamp.
Upvotes: 1