In shibboleth2.xml, <Sessions> element controls how the SSO process is managed by the SP. Following child elements inside Sessions control timeouts:
Name | Type | Default | Description |
---|---|---|---|
timeout | seconds | 3600 (1 hour) | Maximum inactivity allowed between requests in a session maintained by the SP. This inactivity applies only to requests to this SP and is not aware of activity between the browser and other web sites . |
lifetime | seconds | 28800 (8 hours) | Maximum duration in seconds that a session maintained by the SP will be valid. |
Shibboleth IDP uses CUWebLogin for primary authentication. The valid SSO session lasts for 10 hours. If you would like to prompt user for netID/password when they access your site even if user already have valid SSO session in CUWebLogin, forceAuthn="true" should be added in <Host> element.
If you would like to have a different timeout for some locations of your site, you can use <ApplicationOverride>. You can also add forceAuthn="true" to <Path> element to force authentication.
Example of Path-Based Application Override (shibboleth2.xml)
<
RequestMap
applicationId
=
"default"
>
<
Path
name
=
"myappfolder"
applicationId
=
"myappname"
/>
</
Host
>
</
RequestMap
>
...
<
ApplicationDefaults
...>
...
<
ApplicationOverride
id
=
"myappname"
>
<
Sessions
lifetime
=
"3600"
timeout
=
"600"
checkAddress
=
"false"
handlerURL
=
"/myappfolder/Shibboleth.sso"
/>
</
ApplicationOverride
>
</
ApplicationDefaults
>
Make sure that the metadata you provide for the SP includes the necessary endpoints of this handler. In this example, metadata should have AssertionConsumerServiceURL:
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.example.org/myappfolder/Shibboleth.sso/SAML2/POST" index="5" />
More info about ApplicationOverride.