Synchronizing OpenSSO SAMLv2 Sessions Doesn't Make Me Anxious Anymore

After a successful SAMLv2 single sign-on, sessions are created on both the identity provider side and the service provider side. The sessions are independent from each other with their own maximum session time out and idle time out values so if one session times out or is destroyed locally, the other will not be notified. This results in an inconsistent session state between the two providers. For the upcoming Express Build 8 release, OpenSSO has added a new configuration property to support session synchronization between the two providers. The service provider will notify the identity provider when a session is refreshed (by access) or at a fixed interval.

The Session Synchronization attribute (available only in builds later than OpenSSO Enterprise 8.0) is displayed only after creating a SAMLv2 hosted identity or service provider configuration first. See Part II Federation, Web Services, and SAML Administration in the OpenSSO Enterprise 8.0 Administration Guide. Following that, under the Federation tab, click the name of the appropriate provider to display its attributes. Under the Advanced tab is the Session Synchronization attribute which can be enabled for a hosted SAMLv2 provider. If session synchronization is enabled for the hosted identity provider and a session times out (due to hitting a maximum idle time out value or maximum session time value), the identity provider will send a SOAP logout request to all affected service providers. If session synchronization is enabled for the hosted service provider, it will send a SOAP logout request to all affected identity providers.

A few weeks back, I posted an article on one time password authentication with a musical clip of The Beautiful South. The Beautiful South was one fork that grew after the breakup of The Housemartins. (The other was Fatboy Slim.) In that vein, here is an excellent live clip of The Housemartins performing Anxious from their debut LP.

I miss The Housemartins.

Comments:

Hi,
I do understand that the IdP or SP send logout SAML messages if the session expired either at the IdP or SP.
But, what message is used to keep alive the session between IdP or SP? Is it SAML?

Thanks

Posted by Yannick on July 01, 2009 at 04:52 AM PDT #

Yannick, there was an RFE for what you are referring to but it has not been implemented yet. For now, the max session time out and max idle time out attribute values are the parameters to control the validity of a session.

hth.

Posted by Michael Teger on July 06, 2009 at 04:46 AM PDT #

Hi Michael,
Do you have a recommendation on how the logout-request should be handled by the receiving party? Since it is not initiated by a user, the user might be busy filling out some form at an SP, and would probably not be too happy if idle time-out at the IdP results in his session with the SP being terminated while he is in the middel of something. Similarly, should the IdP propagate a logout request to all SPs if one SPs has timed out?

Thanks

Posted by Steinar on July 06, 2009 at 08:28 PM PDT #

Steinar,

Regarding your first question, there is special flag at both the IDP and the SP side for enabling the Session Synchronization between IDP and SP.

Regarding the propagate question, it depends whether the session sync flag on the IDP side is enabled. If it is then the SP initiating SLO sends to IDP which send to all SPs. If not, only the SP that is initiating the SLO and the relevant IDP session will be removed. Other SPs will not have the session destroyed.

hth.

Posted by Michael Teger on July 27, 2009 at 05:18 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today