What is the use of WebSSOProfileConsumerImpl.setMaxAuthenticationAge in spring security. Do I need to set its value explicitly? http://docs.spring.io/spring-security-saml/docs/current/api/org/springframework/security/saml/websso/WebSSOProfileConsumerImpl.html
Asked
Active
Viewed 5,589 times
1 Answers
5
System allows users to single sign-on for up to 7200 seconds since their initial authentication with the IDP (based on value AuthInstance of the Authentication statement). Some IDPs allow users to stay authenticated for longer periods than this and you might need to change the default value by setting maxAuthenticationAge of the WebSSOProfileConsumerImpl bean.
Read this : http://docs.spring.io/spring-security-saml/docs/current/reference/html/configuration-advanced.html
Soniya Chavan
- 103
- 1
- 9
-
Thanks, that was helpful. – bigb Nov 17 '16 at 16:44
-
4This is bonkers, and by that I mean the design of spring-security-saml. There is a perfect mechanism for this in `sessionNotOnOrAfter`. If the SP does not trust an authentication that was made more 7200 seconds ago, and asks the IdP for a new one, and gets *another* "old" assertion, you'll end up with a 403. This is badly broken behaviour by spring-security-saml. It should be fixed. – girgen Feb 27 '19 at 15:09
-
It seems that this is a global configuration. Would it be possible to configure it based on the idP? – duncanportelli Nov 04 '19 at 11:04
-
@duncanportelli no, you'd have to extend spring-saml-security (WebSSOProfileConsumerImpl) and implement it – George Stanchev Jun 10 '22 at 22:07