...
Shibboleth IDP uses CUWebLogin for primary authentication. The valid SSO session lasts for 10 hours. If you would like to prompt user for netID/password when they access your site even if user already have valid SSO session in CUWebLogin, forceAuthn="true" should be added in <Host> element.
If you would like to have a different timeout for some locations of your site, you can use <ApplicationOverride>. You can also add forceAuthn="true" to <Path> element to force authentication.
Info | ||
---|---|---|
| ||
< Path name = "myappfolder" applicationId = "myappname" /> </ Host > </ RequestMap > ... < ApplicationDefaults ...> ... < ApplicationOverride id = "myappname" > < Sessions lifetime = "3600" timeout = "600" checkAddress = "false" handlerURL = "/myappfolder/Shibboleth.sso" /> </ ApplicationOverride > </ ApplicationDefaults > |
Make sure that the metadata you provide for the SP includes the necessary endpoints of this handler. In this example, metadata should have AssertionConsumerServiceURL:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.example.org/myappfolder/Shibboleth.sso/SAML2/POST" index="5" />
More info about ApplicationOverride.