Requirements for Session Management in Identity Federations & Proposal for Global Idle Timeout (draft)

Terminating unused or long-running user sessions is an established security policy. In environments with medium or high security idle timeout, explicit logout and user revocation are mandatory security controls.

In federations a common pattern is that a Service Provider (SP) will create a local session when it consumes an authentication assertion from an IdP. As there is no global session state across the IdP and SPs, some issues arise like:

  • Terminating the IdP-session has no immediate effect for the SPs.

  • Single Logout (SLO) is difficult on both front- and back-channel variants for several

    reasons. The Shibboleth Wiki provides a good overview of the issues with SLO.

  • If short idle-timeouts are required user are requiring to re-authenticate frequently

    because the idle-timers are not reset globally.