what should be the saml token life time for SSO app. are there any best practices for this ? do we need to maintain application session equal to saml token lifetime ?
Related Questions in SPRING-SECURITY
- How do I propagate the current SecurityContext to my @RabbitListener in Spring Boot?
- Spring security causing 404 with message "No static resource login"
- Spring JPA Data Auditing - How to design it?
- Spring 3 - Security: How to rebuild authManager () usage?
- Error: Cannot invoke "jakarta.servlet.http.HttpSession.getAttribute(String)" because "session" is null
- how to use ldap authentication with permission taken from db without needing password in UserDetails
- This error occurred when using springsecurity for database user verification: IllegalArgumentException
- Issue with configuring SpringSecurity to allow URLs in FilterChain
- getting React Hook "useSetupInterceptors" cannot be called at the top level when try to use useSignOut hook
- Spring Authorization Server `JdbcOAuth2AuthorizationService` does not save custom User object
- Customize Authorization Code claims with Spring OAuth2 Authorization Server 3.2.4
- Spring Security Reactive OAuth2 Client: Options for Customizing Refresh Endpoint
- Repository injection in an handler spring boot class performance
- Spring Security mix form based and http basic authentication
- SecurityContextHolder.getContext().getAuthentication() is null
Related Questions in SAML
- AWS Cognito Multi-tenant Integration | Ok to use Client’s Idp?
- Allow external users to login using custom SAML app in Google Admin
- Is there any way to login SSO using RestAssured or using any API calls?
- Migrate from SAML extensions to SAML service provider and spring security
- Firebase Authentication SAML resource metadata file
- How to add ForceAuthn flag on AWS cognito
- Firebase , Active Directory - Will AD users get created in Firebase as well?
- Why data exchange between 2 web apps using redirection with query parameters or auto-form-post CANNOT be trusted by each other, even when using HTTPS?
- "No token validator was found for the given token" when handling encrypted SAML in AuthenticationBuilder
- what should I do about the error in the Keycloak and ADFS application "Client does not have a public key"?
- Is it possible to decide access level of Jenkins users where the login is through a group in Azure AD using SAML 2.0?
- openliberty saml group mapping not working
- SimpleSAMLphp response not handled
- SAML Assertion does not contain KeyInfo element in SubjectConfirmationData
- SOAP Header Invalid Signature on Timestamp
Related Questions in ADFS2.0
- Reuse SSL certificate from the personal certificate store across services such as RDP and Federated Sign In
- ADFS Integrated Windows Authentication
- Optain an ID-Token from Microsoft ADFS Server
- Spring Security Saml2 Response Assertion [_6d73441e-b906-4c63-95be-57cb2f50b030] is missing a subject
- Djangosaml2 the use of metadata
- SAML TOKEN LIFE TIME best practices
- Need a comparison b/w SAML configuration on Azure AD and ADFS
- SAML is not honouring Token Lifetime
- How to verify ADFS SAML login Response signature In python?
- SSO - ADFS : Invalid URI: The format of the URI could not be determined
- ADFS 2.0 SAMLRequest doesnt accept the request
- Processing saml signed response using idp meta data ? saml +adfs + idp
- SP initiated Single Logout receives a SAML logout request from ADFS IDP instead of SAML Logout Response
- How to use saml2aws similar functionality on Nodejs app
- How to add new application to ADFS 2.0
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
The SAML "token" lifetime is typically very short.
SAML messages including the response and assertion typically have an IssueInstant which states when the message was created.
In addition the Assertion typically has Conditions that include an NotBefore and NotOnOrAfter datetime and an AudienceRestriction. This basically states how long the Audience should trust that Assertion. The trust for the assertion has nothing to do with how long you keep the session active. Similar to any authentication method the user was authenticated at that specific Instant. The user account may have been disabled seconds later.
The Service Provider (Application) needs to decide how long it will keep that session active before prompting for the use to log in again. It is a risk based decision based on the security needs of the Application in question.
The example above give you a little more than an hour to trust the assertion. That may be a valid session length but I have also seen 5 minutes which might not be a appropriate session length. The condition is more aboout dealing with Clock Skew between the SAML parties than anything else.
The Assertion says that the user Authenticated successfully not how long you should keep the session active