Open uniquejava opened 1 year ago
This might relate to https://github.com/OpenLiberty/open-liberty/issues/24024#issuecomment-1402307106
As per @arunavemulapalli commented:
We take the NotOnOrAfter in
<Conditions>
as the token expiration (this is per SAML assertion spec)
Here is my IDP SAML Response:
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_vi3jXE5jtVik7wO9TcgH8t3ck0APxd0j" NotOnOrAfter="2023-08-29T09:17:58.697Z" Recipient="https://localhost:9443/ibm/saml20/defaultSP/acs"></saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2023-08-29T09:12:58.697Z" NotOnOrAfter="2023-08-29T09:13:58.697Z">
<saml:AudienceRestriction>
<saml:Audience>https://localhost:9443/ibm/saml20/defaultSP</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2023-08-29T09:13:00.698Z" SessionIndex="658d7fb6-7e05-4a50-9fe2-80ed6a8afaca::33dcd335-e4d3-4d71-93ba-7ba59083ddda" SessionNotOnOrAfter="2023-08-29T19:13:00.698Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
From this SAML Token, I found these information:
SubjectConfirmationData.NotOnOrAfter = 5 min
Conditions.NotOnOrAfter = 1 min
AuthnStatement.SessionNotOnOrAfter = 10 hours
It seems Open Liberty not use Conditions.NotOnOrAfter
as spCookie Expiry Time, it should be 1 minute according to the SAML Response, but for now it's 30 minutes.
From my understanding, plus the comment on attribute sessionNotOnOrAfter
in server.xml,
sessionNotOnOrAfter: Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP
OpenLiberty might use AuthnStatement.SessionNotOnOrAfter
value as SSO token expiration time or can we have a separate attribute so we can customize it.
Hello everyone,
I am using Keycloak as my IDP server, and Liberty(I tried both 22.0.0.13 and 23.0.0.8).
Here is my server.xml
Please just ignore
sessionNotOnOrAfter=5m
, according to document and my experiment, it's useless in this case as the IDP SAML Token specifiedSessionNotOnOrAfter
as 10 hours from that moment.But per my observation from chrome dev tools, the spCookie expires after 30 minutes.
Screenshot 1 (Starting point)
Request SP backend api right after login by clicking Search button.
At the beginning, we can see
spCookie
andJSESSIONID
(I renamed it to AWAGSESSIONID)Screenshot 2 (After 2 minutes)
Request SP backend api after 2 minutes by clicking Search button again.
We can see JSESSIONID(AWAGSESSIONID) disappeared, this shows that
httpSession#cookieMaxAge=2m
worked.Screenshot 3 (After 30 minutes)
Request SP backend api after 30 minutes by clicking Search button the last time.
We can see SP server(Liberty) forced browser to clear spCookie.
This is where I am not clear, nowhere I set this spCookie timeout as 30 minutes.
And how can I specify this spCookie timeout(expiry time).