2 Replies Latest reply on Feb 21, 2015 9:43 AM by Pedro Igor

    SP Attribute Refresh

    Kirk Maskalenko Newbie

      I am using SP picketlink 2.6.1 to provide authentication and authorization to a tomcat7 web application.  The application is receiving SAML from an OpenAM based identity provider.  At initial authentication, all is working fine, I am getting identity and role information from the Idp and the SP is authenticating against it and provides access to the attributes.  However I was expecting to see periodic refresh of the attributes as the SAML assertion expires (ttl is 10 minutes) which I don't see.  How do I configure the SP to re authenticate after the SAML token expires?

        • 1. Re: SP Attribute Refresh
          Kirk Maskalenko Newbie

          Does the Picketlink SP validate the session once it is established  based on the NotOnOrAfter attribute?

          • 2. Re: SP Attribute Refresh
            Pedro Igor Master

            Hey Kirk,


            What PL does is check these time conditions when receiving a SAML Response from the IdP. If they are invalid, SP will deny and session will not be established. This is performed only during the first request to the SP.


            Once the user is authenticated and have a valid session on the SP, PL will never check the conditions again. The session timeout is defined in your web.xml and managed by the web container.


            I would suggest you to use short-lived assertions, the enough to get users authenticated in your SPs.