Spring Security SAML SSO - 全局注销
[英]Spring Security SAML SSO - Global logout
问题描述
I am looking for documentation of the Global architecture logout, I have reviewed some links but I have a scenario that I can not find. 
我正在寻找全球架构注销的文档,我已经查看了一些链接,但我有一个我找不到的场景。 What happens if the local session of an SP expires? 如果SP的本地会话到期会发生什么? I did a lab and I noticed that when a TimeOut of the local session occurs, the security context is lost. 我做了一个实验室,我注意到当本地会话的TimeOut发生时,安全上下文丢失了。 In this architecture the local session timeOut should not expire(SPs)? 在这个架构中,本地会话timeOut不应该过期(SP)?
If you have any documentation links for this scenario, thank them infinitely!! 如果您有此方案的任何文档链接,请无限地感谢它们!
1 个解决方案
解决方案1
0 2017-02-17 08:57:58
In SAMLv2 there is no real concept for session correlation. 在SAMLv2中,没有真正的会话关联概念。 SAML assertions issued by the IdP do have a validity set (condition attributes "NotBefore" and "NotOnOrAfter" which must be checked by the SP). 由IdP发布的SAML断言确实具有有效性集(条件属性“NotBefore”和“NotOnOrAfter”,必须由SP检查)。 Actually the SP should query the IdP before the assertion times out (using a so called "passive AuthnRequest") to check whether the session at the IdP is still valid. 实际上,SP应该在断言超时之前查询IdP(使用所谓的“被动AuthnRequest”)来检查IdP上的会话是否仍然有效。
Some IdP implementation have proprietary extensions to notify the SP when the IdP session times out, however this mostly requires SOAP binding being supported by the SPs as it's happening 'out-of-band' (without user-agent interaction). 一些IdP实现具有专有扩展,以在IdP会话超时时通知SP,但是这主要要求SP支持SOAP绑定,因为它发生在“带外”(没有用户代理交互)。
Workaround for your issue .... the (idle) timeout of the local session must be higher than on the IdP. 您的问题的解决方法....本地会话的(空闲)超时必须高于IdP。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.