SAML2, TokenLifetime and setMaximumAuthenticationLifetime not working as intended?
55 views
Skip to first unread message
Martin Hansen
Nov 16, 2020, 7:54:53 AM11/16/20
to Pac4j development mailing list
I have projects using SAML2 to authenticate against an ADFS server, we get send into a redirect auth flow to the ADFS server every hour, no matter how much we use the application.
We have set the config.setMaximumAuthenticationLifetime(36000), to 10 hours, but this still happens.
Then i noticed the notOnOrAfter was only 1 hour after login time, so now we have also updated the Relying Party Trust's token lifetime to 10 hours on the ADFS server. We now get a proper profile, with notOnOrAfter property set 10 hour into the future.
But we still get send to the ADFS server once every hour in our application.
I can't find anything in the SAML config or client to hint that i should set any other properties. I would of thought, that the token lifetime, and the setMaximumAuthenticationLifetime set to the same value, would stop the redirection to the ADFS server every hour-
Have i completely misinterpreted this feature or is it not working as intended?
This is happening in:
play - 2.7.3
pac4j-saml - 3.8.2
play-pac4j - 8.0.1
Will verify with a 4.x.x and 10.x.x as soon as possible
Best regards, Martin
Message has been deleted
Martin Hansen
Nov 16, 2020, 8:57:41 AM11/16/20
to Pac4j development mailing list
This also happens in:
playPac4j Version = "10.0.1"
pac4j Version = "4.0.3"
play Version = "2.8.2"
playPac4j Version = "10.0.1"
pac4j Version = "4.0.3"
play Version = "2.8.2"
Exactly 60 minutes, and it redirects to the ADFS server for an authentication refresh.
This must be some kind of static value somewhere doing this, and not looking properly at setMaximumAuthenticationLifetime
Jérôme LELEU
Nov 16, 2020, 12:33:24 PM11/16/20
to Martin Hansen, Pac4j development mailing list
Hi,
Do you use the PlayCacheSessionStore? The default timeout is one hour.
It may be related...
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-dev/005273f0-afd6-499b-b72a-6d528ae8231dn%40googlegroups.com.
Martin Hansen
Nov 16, 2020, 1:05:46 PM11/16/20
to Pac4j development mailing list
Yes i do, i see the 3600 default timeout. Its probably the cause, ill try setting the timeout in my Module setup.
Thanks for quick reply.
Reply all
Reply to author
Forward
0 new messages