Shibboleth at NC State » Technical Documentation » Shibboleth Timeouts

Shibboleth Timeouts

  1. SP Session Timeout = default 1 hour

    When a user logs in to a website protected by a Shibboleth service provider, that SP keeps a session for the user that remembers their login and attributes. Each time the user visits a protected page, that session is refreshed. If the user does not visit another page after a certain amount of time, the session will timeout, and ask the user to login again. This maximum idle time before a new login is required is the SP Session Timeout.

  2. SP Session Lifetime = default 8 hours, max 10 hours for logins from shib.ncsu.edu

    Even if the user continues to visit the website and refresh their SP session, it will eventually timeout and ask them to login again. The maximum time that an SP session can be kept active is the SP Session Lifetime.

  3. IdP Authn Timeout = default 1 hour on shib.ncsu.edu

    When a user attempts to log in to an SP website, that site will send them to our IdP server to check their credentials and get their attributes. The IdP also keeps a session for the user that remembers their login. If the user visits another SP and gets sent back to the same IdP, their session will be checked to see if they've already logged in within a certain amount of time. This maximum time that the login will be cached since the last visit is the IdP Authn Timeout.

  4. IdP Authn Lifetime = default 10 hours on shib.ncsu.edu

    Even if the user continues to visit the IdP to log in to additional SP sites, the IdP session will eventually timeout and ask them to login again. The maximum time that an IdP session can be kept active is the IdP Authn Lifetime.

Setting SP Timeouts

The manager for each Service Provider can adjust the value of the SP Session Timeout and the SP Session Lifetime. These values are set in the shibboleth2.xml config file usually located in /etc/shibboleth. Here is the default code:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
          checkAddress="false" 
          consistentAddress="true"
          handlerSSL="true" cookieProps="http">

The timeout="3600" setting is the SP Session Timeout in seconds.

The lifetime="28800" setting is the SP Session Lifetime in seconds. Note that each IdP has a setting that restricts how long this lifetime may be set.

IdP Settings - IdP version 3

We have already selected the timeout values for the IdP on shib.ncsu.edu. If you are running your own IdP and need to make similar adjustments, here are the settings that we've used.

All of the IdP timeout settings are found in the shibboleth-idp/conf/idp.properties file on the server. The idp.session.timeout should always be set to be at least as long as the idp.authn.defaultLifetime.

# Inactivity timeout
# idp.session.timeout = PT10H

# Default lifetime and timeout of various authentication methods
# idp.authn.defaultLifetime = PT10H
# idp.authn.defaultTimeout = PT60M

For more information, see the Wiki entry on Session Configuration.

IdP Settings - IdP version 2

These are the settings that we were using for IdP v2 prior to the IdP v3 upgrade in May 2016. These older notes are kept for reference only.

In the idp/conf/internal.xml, we have set the shibboleth.SessionManager storage lifetime to 3600000ms = 1 hour:

<bean id="shibboleth.SessionManager"
      class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl"
      depends-on="shibboleth.LogbackLogging">
    <constructor-arg ref="shibboleth.StorageService" />
    <constructor-arg value="3600000" type="long" />
</bean>

The Username/Password authentication that we use has a default timeout of 30 minutes. In the file idp/conf/handler.xml, we have set the authenticationDuration to 1 hour:

<!--  Username/password login handler -->
<ph:LoginHandler 
        xsi:type="ph:UsernamePassword" 
        authenticationDuration="PT1H"
        jaasConfigurationLocation="file:///path/to/our/conf/login.config">
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>

In the idp/conf/relying-party.xml file, we have set our handler to tell the SPs to allow a maximum SP Session Lifetime of 10 hours:

<rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" 
    includeAttributeStatement="true"
    assertionLifetime="PT5M"
    maximumSPSessionLifetime="PT10H"
    assertionProxyCount="0" 
    signResponses="never"
    signAssertions="always" 
    encryptAssertions="conditional"
    encryptNameIds="never" />