Ray, I now have the behavior that I was hoping by using these settings: cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200
cas.ticket.tgt.timeToKillInSeconds=28800 Notice that what you and I are essentially using is opposite what the TGT expire policy doc maxTimeToLiveInSeconds/timeToKillInSeconds specifies. Thus the source of my confusion. Thank you very much for the help! Duane On Thursday, October 26, 2017 at 10:10:07 AM UTC-7, rbon wrote: > > Duane, > > These are my settings: > > # TGT Expiration Policy > # > https://apereo.github.io/cas/5.1.x/installation/Configuration-Properties.html#tgt-expiration-policy > cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=7200 > > > # Remember Me > cas.ticket.tgt.rememberMe.enabled=true > cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800 > > As I understand it, your setting (cas.ticket.tgt.timeToKillInSeconds) will > provide a sliding window, adding 2 hours every time the TGC is used up to 8 > h. My config above sets a fixed timeout to 2 h unless user checks remember > me (setting enable to true will show a check box on the login page). > > Ray > > On Thu, 2017-10-26 at 09:24 -0700, Duane Booher wrote: > > Just some more information on my investigation. We are running CAS 5.0.5, > plus I have tested 5.0.9 with the same results. > > For CAS4 we use these parameters work for our authentication timeout > controls: > > tgt.maxTimeToLiveInSeconds=28800 > > tgt.timeToKillInSeconds=7200 > > On CAS5 I've been using these parameters (w/ smaller numbers for > test/verification): > > cas.ticket.tgt.maxTimeToLiveInSeconds=28800 > > cas.ticket.tgt.timeToKillInSeconds=7200 > > maxTimeToLiveInSeconds works > timeToKillInSeconds does not work > > I have also tried most of the other CAS5 tgt parms in my original posting > with no impact on the timetokill. > > Does anyone have any suggestions/work arounds? > > Duane > > On Wednesday, October 25, 2017 at 1:31:33 PM UTC-7, Duane Booher wrote: > > Thanks for the response, good point. > > What I really mean, for a given SSO session (TGT and a created ST) in a > given browser, then a new ST comes in after 2 hours. In this case we would > like a new forced CAS login to occur. > > For example, here is how I am testing where page-a and page-b are static > web pages: > > cas/login?service=https://page-a ==> generates TGT + ST > <after 2 hours> > cas/login?service=https://page-b ==> generates ST (but currently w/o > any required CAS/Login) > > Does this make sense? > > Duane > > On Wednesday, October 25, 2017 at 1:14:55 PM UTC-7, rbon wrote: > > Duane, > > By session, do you mean the client application the user is working in or > do you mean the SSO session? > The client application is responsible for its own session expiration. CAS > only sends a logout to applications if a user chooses to logout (and > appropriate configuration is in place). > After 2 hours the SSO session would expire; a user would be presented with > the login screen when accessing a different client service. > > Ray > > On Wed, 2017-10-25 at 11:48 -0700, Duane Booher wrote: > > Hello I'm running CAS5.0 with all of the tgt session defaults. We are > testing we are testing tgt timeout when a tgt session is inactive with no > new activity. I was assuming that the default setting of > cas.ticket.tgt.timeToKillInSeconds=7200 would kill the session, however it > is going beyond 2 hours. Our goal for tgt, is to have the 8 hour forced > expire and a 2 hour expire if in active. What am I missing? > > Here are the defaults which I am running with: > > # cas.ticket.tgt.onlyTrackMostRecentSession=true > # cas.ticket.tgt.maxLength=50 > > # Set to a negative value to never expire tickets > # cas.ticket.tgt.maxTimeToLiveInSeconds=28800 > # cas.ticket.tgt.timeToKillInSeconds=7200 > > # cas.ticket.tgt.rememberMe.enabled=true > # cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800 > > # cas.ticket.tgt.timeout.maxTimeToLiveInSeconds=28800 > > # cas.ticket.tgt.throttledTimeout.timeToKillInSeconds=28800 > # cas.ticket.tgt.throttledTimeout.timeInBetweenUsesInSeconds=5 > > # cas.ticket.tgt.hardTimeout.timeToKillInSeconds=28800 > > Thanks, > Duane > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca > > > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | rb...@uvic.ca <javascript:> > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7e8ec6cf-c389-4ca2-89b5-a683641e85cd%40apereo.org.
