[keycloak-user] SAML2.0: support for SessionNotOnOrAfter

[Dmitry Telegin]

Wow, I should have grepped the ML archives first, not the code :-D

Basically, that's it: as a quick fix, try custom protocol mapper; as a
long-term solution, you could revive that abandoned PR (rebase to
master, add tests, check everything and resubmit).

Good luck! :)
Dmitry

On Mon, 2018-07-23 at 10:30 +0300, Leonid Rozenblyum wrote:
> Thanks for the great explanation! 
> Actually I've found 1 more thread related to this question: http://li
> sts.jboss.org/pipermail/keycloak-user/2018-May/thread.html#14023
> 
> 
> On Mon, Jul 23, 2018 at 4:48 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Leonid,
> > 
> > Grepping the Keycloak code shows that it does "know" about
> > SessionNotOnOrAfter, that means is able to parse it from XML and
> > get/set the value in the model. But that's all, Keycloak doesn't
> > actually manipulate this attribute in any way. Seems like bug /
> > missing
> > feature to me, but let's see what the Keycloak devs say.
> > 
> > Meanwhile, you could implement a custom ProtocolMapper to populate
> > the
> > SessionNotOnOrAfter attribute. (This could have been even easier
> > had
> > the script mapper existed for SAML, see KEYCLOAK-5520)
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Fri, 2018-07-20 at 11:16 +0300, Leonid Rozenblyum wrote:
> > > Hello.
> > > Does Keycloak support the attribute SessionNotOnOrAfter based on
> > > realm
> > > settings of session timeout? Maybe some another way to inform
> > Service
> > > Provider about the desired session end time?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >