To me logic is like this. Session is maintained using commonAuthId cookie (not from samlssoTokenId). Usually we do not configure a max age value for commonAuthID through Identity.xml. Therefore the value which we configure through resident idp will be taken as the timeout (session idle timeout or remember me period). But if we configure this in identity.xml for commonAuthId then the value configured through identity.xml will be taken. But this is fine since we have given the ability to configure timeouts per tenant through UI. For the rest of the cookies (including samlssoTokenId) the value which is configured in identity.xml will be taken as the max age. So our recommendation should be not to configure a max age for commonAuthId in identity.xml.
On Wed, Jul 26, 2017 at 5:12 AM, Sathya Bandara <sat...@wso2.com> wrote: > Hi all, > > In the current implementation we can configure the session time out for > the Identity Server via the resident realm configuration (Idle Session Time > Out). In addition, with the following configuration in identity.xml we can > specify a maxAge parameter on cookies in order to configure the session > time out periods (cookie expiration time). > > > > *<Cookies> <Cookie name="samlssoTokenId" domain="localhost" maxAge="20" > httpOnly="true" secure="true" /></Cookies>* > > If this parameter value is specified, in our implementation we give > priority to max age value configured through the identity.xml over session > time out value configured in the resident IDP [1]. > > But for the scenario where in a tenant mode, if the session time out > period needs to be customized(reduced) for security reasons, if max age > value is specified in the configuration file priority will be given to that > rather than the customized session idle time out for that tenant. is this a > valid use case? > > Highly appreciate your thoughts on this. > > > [1] https://github.com/wso2-extensions/identity-inbound- > auth-saml/blob/5.3.x/components/org.wso2.carbon. > identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/servlet/ > SAMLSSOProviderServlet.java#L854 > > Thanks, > Sathya > > -- > Sathya Bandara > Software Engineer > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
