Forum Discussion
NimbostratusAPM SSO Multiple SP's utilizing single IDP - Inactivity Timeout
Any help would be appreciated. Here's the scenario. We have a IDP setup on the F5 that we use for SSO with multiple SP's associated with it. The functionality we are wanting is the user can obviously log into one SP protected application and if there assertion is valid have the ability to log directly into any of the other SP protected applications, this functionality works today.
The issue is although we want the ability to authenticate to multiple applications with a single assertion, we need to manage some security behind that. Meaning some how we need to protect the SSO IDP session so if let's say none of the SP sessions for a particular user have been active for say a period of 15 minutes the IDP issues a SLO, or terminates the IDP session forcing the user to re-authenticate when he returns.
However if app-a inactivity times out but user is in app-b actively, I do not want the user to be logged out, only if the user is inactive in all sp sessions relevant to that IDP session.
I'm assuming for this to be possible the IDP would have to be aware of the SP's inactivity time-out triggering a slo if there has been zero activity from the user. I hope this makes sense.
1 Reply
Michael_Koyfma1Cirrus
I am not sure that scenario is possible. SAML is the standard for authentication - but IDP is not a proxy of user application connections - it merely issues an assertion and sends the user on its merry way to access any given SP. When APM acts as an IDP, user has a session with APM, and that session has its own timeout. SAML as a protocol does not have any mechanism built in, as far as I know, to keep track of user activity and associated timeouts - which is why I am not seeing how the scenario you're seeking is possible to accomplish.
