How Spring SAML Works if assertion expires
Question
I have integrated wso2 IS 5.11 with Spring SAML. After login the SAML response contains 5 minutes of assertion expiry. But if the same user uses the application for more than 5 minutes. There is no assertion refresh or logout happened. So, I am not getting how the assertion refresh should happen? How the session expiry should happen?. I wanted to implement a stateless SAML implementation using SAML token how to implement for session validation for each request?
1 answers
solution1
1 2022-02-08 20:30:42
The SAML assertion is validated upon login only. Thereafter, the app will be using its own session to keep users logged in. If the app side session is expired, the user will be redirected to WSO2 IS and the user will be automatically logged in (a new assertion will be issued) if the IDP session is still valid.
The default session idle timeout of WSO2 IS is 15mins. If the user did not interact with WSO2 IS for more than 15mins, the IDP session will be expired.
If your requirement is to use stateless authentication, you may read the answers for Stateless Sessions with Spring Security Saml and SP Application
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.