2 Replies Latest reply on Feb 21, 2015 9:43 AM by pcraveiro

SP Attribute Refresh

kirkm Jan 22, 2015 3:14 PM

I am using SP picketlink 2.6.1 to provide authentication and authorization to a tomcat7 web application. The application is receiving SAML from an OpenAM based identity provider. At initial authentication, all is working fine, I am getting identity and role information from the Idp and the SP is authenticating against it and provides access to the attributes. However I was expecting to see periodic refresh of the attributes as the SAML assertion expires (ttl is 10 minutes) which I don't see. How do I configure the SP to re authenticate after the SAML token expires?

1. Re: SP Attribute Refresh

kirkm Jan 27, 2015 4:02 PM (in response to kirkm)

Does the Picketlink SP validate the session once it is established based on the NotOnOrAfter attribute?
Actions
2. Re: SP Attribute Refresh

pcraveiro Feb 21, 2015 9:43 AM (in response to kirkm)

Hey Kirk,

What PL does is check these time conditions when receiving a SAML Response from the IdP. If they are invalid, SP will deny and session will not be established. This is performed only during the first request to the SP.

Once the user is authenticated and have a valid session on the SP, PL will never check the conditions again. The session timeout is defined in your web.xml and managed by the web container.

I would suggest you to use short-lived assertions, the enough to get users authenticated in your SPs.

Regards.
Actions

Go to original post