Shibboleth at NC State » Technical Documentation » Shibboleth Timeouts

Shibboleth Timeouts

1. SP Session Timeout = default 1 hour

   When a user logs in to a website protected by a Shibboleth service provider, that SP keeps a session for the user that remembers their login and attributes. Each time the user visits a protected page, that session is refreshed. If the user does not visit another page after a certain amount of time, the session will timeout, and ask the user to login again. This maximum idle time before a new login is required is the SP Session Timeout.

2. SP Session Lifetime = default 8 hours, max 10 hours for logins from shib.ncsu.edu

   Even if the user continues to visit the website and refresh their SP session, it will eventually timeout and ask them to login again. The maximum time that an SP session can be kept active is the SP Session Lifetime.

3. IdP Authn Timeout = default 1 hour on shib.ncsu.edu

   When a user attempts to log in to an SP website, that site will send them to our IdP server to check their credentials and get their attributes. The IdP also keeps a session for the user that remembers their login. If the user visits another SP and gets sent back to the same IdP, their session will be checked to see if they've already logged in within a certain amount of time. This maximum time that the login will be cached since the last visit is the IdP Authn Timeout.

4. IdP Authn Lifetime = default 10 hours on shib.ncsu.edu

   Even if the user continues to visit the IdP to log in to additional SP sites, the IdP session will eventually timeout and ask them to login again. The maximum time that an IdP session can be kept active is the IdP Authn Lifetime.

Setting SP Timeouts

The manager for each Service Provider can adjust the value of the SP Session Timeout and the SP Session Lifetime. These values are set in the shibboleth2.xml config file usually located in /etc/shibboleth. Here is the default code:

<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
          checkAddress="false" consistentAddress="true"
          handlerSSL="true" cookieProps="https"
          redirectLimit="exact+allow"
          redirectAllow="https://shib.ncsu.edu/">

The timeout="3600" setting is the SP Session Timeout in seconds.

The lifetime="28800" setting is the SP Session Lifetime in seconds. Note that each IdP has a setting that restricts how long this lifetime may be set.

IdP Settings

We have already selected the timeout values for the IdP on shib.ncsu.edu. If you are running your own IdP and need to make similar adjustments, here are the settings that we've used.

All of the IdP timeout settings are found in the shibboleth-idp/conf/idp.properties file on the server. The idp.session.timeout should always be set to be at least as long as the idp.authn.defaultLifetime.

# Inactivity timeout
idp.session.timeout = PT10H

# Default lifetime and timeout of various authentication methods
idp.authn.defaultLifetime = PT10H
idp.authn.defaultTimeout = PT60M

For more information, see the Wiki entry on Session Configuration.

---

Contact: shibboleth-help@ncsu.edu | Page last modified: March 22, 2024