We are acting as IDP and we have maxTimeout setting of 6 hrs, and partner SP is having security setting of 2
Request flow: User logs in the system and do navigation on IDP side and then click on SP link to establish SSO with SP.
Issue: user logs in IDP navigate on the website and click on SP link after 3 hours. The SAML generates gives a timestamp of user logged in for the first time:
<ns2:AuthnStatement AuthnInstant="2016-08-24T16:28:23Z" (Time of authentication for the first time)
IssueInstant="2016-08-24T19:41:29Z" (Time when user click on SP link)
now because partner is having 2 hrs of security setting, they are considering this request as failed request.
Is there is a way in Siteminder we can send IssueInstant time as AuthnInstant time? This way the generated SAML will not fail on SP side. Or any other suggestion to handle this issue.
I believe this is violate the SAML specification if send IssueInstant as AuthnInstant
Based on following documentation:
The SA MUST set the AuthnInstant to the time authentication occurred, as defined in [SAML2Core]. The SC MAY use this value to implement a maximum login time.
Therefore, I don't think we can do that.
Increase the SP side timeout is something I can think of. As SP provide the service, I presume they can accomodate IDP (customer) request.
Hope this helps.
You can manage the duration of the authentication session at the Service Provider. The SessionNotOnOrAfter attribute is an optional attribute that the IdP can include in the <AuthnStatement> of an assertion. The configuration for session validity is done at the IdP.
Note: The SessionNotOnOrAfter parameter is different from the NotOnOrAfter parameter, which determines how long the assertion is valid.
A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values, helping to ensure that sessions are not too short. If a user session becomes invalid, the user has to reauthenticate at the Identity Provider.
Important! If CA SiteMinder® is acting as an SP, it ignores the SessionNotOnOrAfter value. Instead, a CA SiteMinder® SP sets session timeouts from the realm timeout that corresponds to the SAML authentication scheme protecting the target resource.
Follow these steps:
Click Help for the field descriptions.