Confirmed users
502
edits
Security/Guidelines/SAML: Difference between revisions
Relax session for SAML since there are many cases where expiration may not work, by making it possible to ask for an exception
Gdestuynder (talk | contribs) (link fix) |
Gdestuynder (talk | contribs) (Relax session for SAML since there are many cases where expiration may not work, by making it possible to ask for an exception) |
||
| Line 119: | Line 119: | ||
* The web application (SP/RP) '''must''' invalidate the user session when the <code>SAML SubjectConfirmationData</code> part of the assertion reaches expiration (<code>NotOnOrAfter</code>) or sooner (the expiration time is a UTC timestamp such as <code><saml:SubjectConfirmationData NotOnOrAfter="2016-12-22T00:09:09.891Z" Recipient="https://rp.example.net/saml/response"/></code>). | * The web application (SP/RP) '''must''' invalidate the user session when the <code>SAML SubjectConfirmationData</code> part of the assertion reaches expiration (<code>NotOnOrAfter</code>) or sooner (the expiration time is a UTC timestamp such as <code><saml:SubjectConfirmationData NotOnOrAfter="2016-12-22T00:09:09.891Z" Recipient="https://rp.example.net/saml/response"/></code>). | ||
* If the user's complete session duration is longer than '''15 minutes''', ''' | * If the user's complete session duration is longer than '''15 minutes''', '''should''' re-check/update the assertion every ''15 minutes'' or next user request (whichever comes first), to ensure that the user is still valid and has correct permissions. This is done by authenticating with SAML2 using the <code>IsPassive</code> parameter in the <code>SAML AuthnRequest</code>. | ||
** This ensures that access is revoked within ''15 minutes'' in the event that the user's account is disabled by the SAML IdP. | ** This ensures that access is revoked within ''15 minutes'' in the event that the user's account is disabled by the SAML IdP. | ||
** This renews the assertion expiration time, and provides new attributes if they have changed. | ** This renews the assertion expiration time, and provides new attributes if they have changed. | ||
** If <code>IsPassive</code> is not supported, the session may expire after 24h, after careful investigation. This setup is however not recommended and is reserved for specific exceptions. | |||
* The web application (SP/RP) can '''optionally''' provide a <code>logout</code> URL, which the SAML IdP can call to indicate if a user has logged out (so that the web application immediately know when to log the user out as well). | * The web application (SP/RP) can '''optionally''' provide a <code>logout</code> URL, which the SAML IdP can call to indicate if a user has logged out (so that the web application immediately know when to log the user out as well). | ||