Managing session inactivity

By: Jesús JM user 08 Mar 2021 at 5:51 a.m. CST

1 Response
Jesús JM gravatar
Hello Gluu Team, We want to manage inactivity in user sessions but we're struggling in how to implement this feature. We use SAML as the protocol for supporting SSO and SLO, and we use Gluu as our IdP. We want to have an infinite session lifetime until the user closes the browser (sessionIdLifetime = -1), but we also want to be able to control if the user is inactive during an amount of time. Thus, we want the session lifetime to be infinite **WHILE** the user is active. We thought in setting sessionIdUnusedLifetime = 30 minutes for example. What we expected is that if the user is active in the RP, the session is not closed. But it seems that Gluu is not aware about the user activity on the RP, and when the session reaches 30 minutes, the session is over, no matter the user is active or not. We've tried to manage it through IdP properties (idp.session.timeout, idp.authn.defaultLifetime, idp.authn.defaultTimeout) but it seems there is no effect in changing these properties. Is there a way to implement this feature? Thank you for your support. Jesús
Gluu 4.1.1 CentOS 7.0
closed

Answers

By Michael Schwartz Account Admin 08 Mar 2021 at 9:31 a.m. CST

Copy
Michael Schwartz gravatar
Not easily. SAML is also making your life more difficult--when you use SAML you have to worry about three systems: the RP, Shib IDP and oxAuth. It can make for a toxic combination. First of all, the RP gets the SAML assertion during authentication, and after that, does not hit the SAML IDP again. If you want more control over logout, you'll need to use a web proxy front end that can do that, perhaps the Shibboleth SP Apache filter. You can read more about Shibboleth logout issues here: https://wiki.shibboleth.net/confluence/display/IDP4/LogoutConfiguration Another idea... load some javascript in the RP web page that redirects the browser to the Gluu logout endpoint after inactivity timeout? I'm closing this issue because logout is beyond the scope of community support. But if you find a good solution, please post it here for the benefits of others.

Post an answer