APM SAML IDP session timeouts management

Hi everybody,

I configured my Big-IP APM in a SAML Federation. My configuration consist of one VS as IDP and multiple VS as SP. The authentication on IDP is based on Active Directory. I also made SSO on all application behind SP.

Everything is working. Authentication and SSO process is working. The issue that I’m facing is the idle timeout management. Each component (IDP and SP) have its own idle timeout.

Scenario 1:

All idle timeout are set to 30 minutes.
The user access the application A (SP)
User is redirected to IDP and authenticates itself. (ISP session is Set)
IDP redirect the user to the application A (SP) and is authenticated (SP session is Set)
After 1 hour working in application A, user will access application B
The user access the application B (SP)
User is redirected to IDP but IDP session as expired (idle timeout). User need to re-authenticate. :(

Scenario 2:

The IDP idle timeout is 8 hours and SP idle timeout are set to 30 minutes.
The user access the application A (SP)
User is redirected to IDP and authenticates itself. (ISP session is Set)
IDP redirect the user to the application A (SP) and is authenticated (SP session is Set)
After 1 hour working in application A, user will access application B
The user access the application B (SP)
User is redirected to IDP and is in session (timeout = 8h)
IDP redirect the user to the application B (SP) and is authenticated (SP session is Set)
User go to lunch for 1 hour. Theoretically, the application session idle timeout should be reached. But because the ISP session is valid (8h) the users is automatically re-authenticated in application

Conclusion:

As you can see in my two scenarios, the idle timeout management is not easy. If you want to guaranty à 30 minutes idle timeout in an application, you lose the ability to access multiple applications without re-authentication on IDP. If you configure the IDP with a larger idle timeout, you lose the ability to manage application timeout.

Questions: Has anybody found a solution address this issue? Is it possible to configure SP to notify the IDP that some sessions are alive? (like à watchdog)

Thanks for you feedback!

Philippe

BIG-IP Access Policy Manager (APM)

design

security

Forum Discussion

APM SAML IDP session timeouts management

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

Expired client-certificate

Need to make 2 Virtual Appliance in r4600 F5

SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)

BIG-IP methods to Fix the “421 Misdirected Request” Error

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

source address persistence maximum session timeout

MCP Session Affinity With F5 NGINX Plus

Announcing F5 NGINX Instance Manager 2.20

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS