Wso2 saml grant how session timeout will work

Question

I am integrating java app with SAML and on successfull login and I am generating oauth2 token by saml grant type and storing it in client side and also in redis. For further requests I am referring redis and if the token gets expired, I'm generating new token and again storing in both client and redis.

But how to implement session timeout incase of this use-case. I need to implement two timeouts: 1)idle timeout 2)session expiry(irrespective of idle session timeout).

Suppose if the session is configured with idle timeout of 12 hours and session expiry of 72 hours. So, how the above scenario should be implemented as in wso2 IS configuration I can able to see only idle timeout in session configuration, there is no session expiry in total irrespective of idle timeout. So, how can I sync both redis and wso2 session considering above requirement.

Ans also does the idle timeout expiry will get extend by generating token for the second time in WSO2 IS?

Answer 1

The (idle) session timeout is applicable when you create an SSO session on the browser. But the SAML2 Bearer Grant does not create an SSO session, therefore it is not possible to have any session timeouts.

For this requirement, I would suggest below.

• Use the SAML assertion to generate an access token and refresh token pair
• Set access token expiry with the expected idle session timeout value
• Set refresh token expiry with the expected session timeout value
• If the user is active on the application and access token is going to expire, use the refresh grant and obtain a new access token
• Now, you will not be able to extend this beyond the refresh token validity which you call as session timeout

PS: Following config is required in order to avoid refresh token's validity getting extended upon refresh grant requests. Ref

[oauth.token_renewal]
extend_refresh_token_expiry_time_on_renewal = false