SSO: There is no way to set spCookie expiry time it's always 30 minutes

[uniquejava]

Hello everyone,

I am using Keycloak as my IDP server, and Liberty(I tried both 22.0.0.13 and 23.0.0.8).

Here is my server.xml

<!-- https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-saml-web-browser-sso-in -->
<samlWebSso20 enabled="true" id="defaultSP" disableLtpaCookie="true" nameIDFormat="email"
                  inboundPropagation="none"
                  mapToUserRegistry="No"
                  groupIdentifier="groups"
                  spCookieName="awagSpCookie"
                  sessionNotOnOrAfter="5m"
                  wantAssertionsSigned="false" httpsRequired="false" spLogout="true"
/>

<httpSession cookieName="AWAGSESSIONID" cookieMaxAge="2m" />

Please just ignore sessionNotOnOrAfter=5m, according to document and my experiment, it's useless in this case as the IDP SAML Token specified SessionNotOnOrAfter as 10 hours from that moment.

But per my observation from chrome dev tools, the spCookie expires after 30 minutes.

Screenshot 1 (Starting point)

Request SP backend api right after login by clicking Search button.

At the beginning, we can see spCookie and JSESSIONID (I renamed it to AWAGSESSIONID)

Screenshot 2 (After 2 minutes)

Request SP backend api after 2 minutes by clicking Search button again.

We can see JSESSIONID(AWAGSESSIONID) disappeared, this shows that httpSession#cookieMaxAge=2m worked.

Screenshot 3 (After 30 minutes)

Request SP backend api after 30 minutes by clicking Search button the last time.

We can see SP server(Liberty) forced browser to clear spCookie.

This is where I am not clear, nowhere I set this spCookie timeout as 30 minutes.

And how can I specify this spCookie timeout(expiry time).

[uniquejava]

This might relate to https://github.com/OpenLiberty/open-liberty/issues/24024#issuecomment-1402307106

As per @arunavemulapalli commented:

We take the NotOnOrAfter in <Conditions> as the token expiration (this is per SAML assertion spec)

Here is my IDP SAML Response:

<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <saml:SubjectConfirmationData InResponseTo="_vi3jXE5jtVik7wO9TcgH8t3ck0APxd0j" NotOnOrAfter="2023-08-29T09:17:58.697Z" Recipient="https://localhost:9443/ibm/saml20/defaultSP/acs"></saml:SubjectConfirmationData>
   </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2023-08-29T09:12:58.697Z" NotOnOrAfter="2023-08-29T09:13:58.697Z">
   <saml:AudienceRestriction>
    <saml:Audience>https://localhost:9443/ibm/saml20/defaultSP</saml:Audience>
   </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2023-08-29T09:13:00.698Z" SessionIndex="658d7fb6-7e05-4a50-9fe2-80ed6a8afaca::33dcd335-e4d3-4d71-93ba-7ba59083ddda" SessionNotOnOrAfter="2023-08-29T19:13:00.698Z">
   <saml:AuthnContext>
    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
   </saml:AuthnContext>
  </saml:AuthnStatement>

From this SAML Token, I found these information:

SubjectConfirmationData.NotOnOrAfter = 5 min
Conditions.NotOnOrAfter  = 1 min
AuthnStatement.SessionNotOnOrAfter = 10 hours

It seems Open Liberty not use Conditions.NotOnOrAfter as spCookie Expiry Time, it should be 1 minute according to the SAML Response, but for now it's 30 minutes.

From my understanding, plus the comment on attribute sessionNotOnOrAfter in server.xml,

sessionNotOnOrAfter: Indicates an upper bound on SAML session durations, after which the Liberty SP should ask the user to re-authenticate to the IdP

OpenLiberty might use AuthnStatement.SessionNotOnOrAfter value as SSO token expiration time or can we have a separate attribute so we can customize it.