How is expiration of the token/cookie determined?

Question

I'm using the 'Sustainsys.Saml2' package for creating an SSO flow with an IDP.

The authentication cookie has no visible "Expires /Max-Age" in the browser but instead it shows 'Session'. This way i'm not sure when a user's token expires.

Our application authorizes users based on claims that are in the fedAuth token. Those claims would correspond to membership of certain AD groups. When the user gets removed from the AD group i want the application to respond as quickly as possible to invalidate the cookie or token so that the user's access would be denied.

How is the expiration of the cookie determined? Or where can i configure it? Or is there another solution that fits my needs?

Thanks in advance!

score 0 · Answer 1 · answered Oct 10 '22 at 15:24

The session length is not handled by the Sustainsys.Saml2 package, but by the appropriate cookie package for the environment you are using.

Sustainsys.Saml2.HttpModule - System.IdentityModel.Services.SessionAuthenticationModule.
Sustainsys.Saml2.Mvc - System.IdentityModel.Services.SessionAuthenticationModule.
Sustainsys.Saml2.Owin - Microsoft.Owin.Security.Cookies
Sustainsys.Saml2.AspNetCore2 - Microsoft.AspNetCore.Authentication.Cookies

How is expiration of the token/cookie determined?

1 Answers1