Bug 49503 – Make Idp session timeout configurable

Bug 49503 - Make Idp session timeout configurable


Summary:	Make Idp session timeout configurable

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-0-errata
Assigned To:	Erik Damrose
QA Contact:	Florian Best

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-05-20 09:39 CEST by Erik Damrose
Modified:	2019-06-26 17:42 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.114
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2019062321000363
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2019-05-20 09:39:07 CEST

When a user authenticates at our identity provider a saml assertion is created for the service provider. In the assertion, an attribute controls how long the session is valid. Users have to reauthenticate after the timeout.

This is currently hardcoded to 8 hours in /etc/simplesamlphp/config.php. We should make it configurable by UCR.

/etc/simplesamlphp/config.php:
'session.duration'              =>  8 * (60*60), // 8 hours

Comment 1 Daniel Tröder

2019-05-20 10:44:49 CEST

Requested here: https://help.univention.com/t/office-365-connector-sign-in-required-every-day/12135

Comment 3 Stephan Luft

2019-06-03 13:50:17 CEST

Please have in mind, that the Office365 services have their own time out configuration: https://docs.microsoft.com/de-de/office365/enterprise/session-timeouts?redirectSourcePath=%252fen-us%252farticle%252fsession-timeouts-for-office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40#session-times-for-office-365-services

Comment 4 Arvid Requate

2019-06-03 15:58:08 CEST

No Ticket number, resetting "School Customer affected".

Comment 5 Erik Damrose

2019-06-25 14:21:53 CEST

db476fd Make IdP session duration configurable with UCR saml/idp/session-duration. The default value is raised from 8 to 12 hours

Comment 6 Erik Damrose

2019-06-25 14:26:28 CEST

8b13fb7 yaml

Comment 7 Florian Best

2019-06-26 12:07:33 CEST

OK: session duration can be set via UCR varialbe
OK: UCS variable name, description[den/de]
OK: update default from 8 hours to 12 hours
OK: YAML

Comment 8 Arvid Requate

2019-06-26 17:42:56 CEST

<http://errata.software-univention.de/ucs/4.4/163.html>