Hi all, In the current implementation we can configure the session time out for the Identity Server via the resident realm configuration (Idle Session Time Out). In addition, with the following configuration in identity.xml we can specify a maxAge parameter on cookies in order to configure the session time out periods (cookie expiration time).
*<Cookies> <Cookie name="samlssoTokenId" domain="localhost" maxAge="20" httpOnly="true" secure="true" /></Cookies>* If this parameter value is specified, in our implementation we give priority to max age value configured through the identity.xml over session time out value configured in the resident IDP [1]. But for the scenario where in a tenant mode, if the session time out period needs to be customized(reduced) for security reasons, if max age value is specified in the configuration file priority will be given to that rather than the customized session idle time out for that tenant. is this a valid use case? Highly appreciate your thoughts on this. [1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/5.3.x/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/SAMLSSOProviderServlet.java#L854 Thanks, Sathya -- Sathya Bandara Software Engineer WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev