Bug 49503

Summary:	Make Idp session timeout configurable
Product:	UCS	Reporter:	Erik Damrose <damrose>
Component:	SAML	Assignee:	Erik Damrose <damrose>
Status:	CLOSED FIXED	QA Contact:	Florian Best <best>
Severity:	normal
Priority:	P5	CC:	grandjean, luft, requate, troeder
Version:	UCS 4.4
Target Milestone:	UCS 4.4-0-errata
Hardware:	Other
OS:	Linux
What kind of report is it?:	Bug Report	What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains	How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114	Enterprise Customer affected?:
School Customer affected?:	Yes	ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:	2019062321000363	Bug group (optional):
Max CVSS v3 score:

Description Erik Damrose

2019-05-20 09:39:07 CEST

When a user authenticates at our identity provider a saml assertion is created for the service provider. In the assertion, an attribute controls how long the session is valid. Users have to reauthenticate after the timeout.

This is currently hardcoded to 8 hours in /etc/simplesamlphp/config.php. We should make it configurable by UCR.

/etc/simplesamlphp/config.php:
'session.duration'              =>  8 * (60*60), // 8 hours

Comment 1 Daniel Tröder

2019-05-20 10:44:49 CEST

Requested here: https://help.univention.com/t/office-365-connector-sign-in-required-every-day/12135

Comment 3 Stephan Luft

2019-06-03 13:50:17 CEST

Please have in mind, that the Office365 services have their own time out configuration: https://docs.microsoft.com/de-de/office365/enterprise/session-timeouts?redirectSourcePath=%252fen-us%252farticle%252fsession-timeouts-for-office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40#session-times-for-office-365-services

Comment 4 Arvid Requate

2019-06-03 15:58:08 CEST

No Ticket number, resetting "School Customer affected".

Comment 5 Erik Damrose

2019-06-25 14:21:53 CEST

db476fd Make IdP session duration configurable with UCR saml/idp/session-duration. The default value is raised from 8 to 12 hours

Comment 6 Erik Damrose

2019-06-25 14:26:28 CEST

8b13fb7 yaml

Comment 7 Florian Best

2019-06-26 12:07:33 CEST

OK: session duration can be set via UCR varialbe
OK: UCS variable name, description[den/de]
OK: update default from 8 hours to 12 hours
OK: YAML

Comment 8 Arvid Requate

2019-06-26 17:42:56 CEST

<http://errata.software-univention.de/ucs/4.4/163.html>