Re: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
Wow, I should have grepped the ML archives first, not the code :-D
Basically, that's it: as a quick fix, try custom protocol mapper; as a
long-term solution, you could revive that abandoned PR (rebase to
master, add tests, check everything and resubmit).
Good luck! :)
Dmitry
On Mon, 2018-07-23 at 10:30 +0300, Leonid Rozenblyum wrote:
Thanks for the great explanation!
Actually I've found 1 more thread related to this question: http://li
sts.jboss.org/pipermail/keycloak-user/2018-May/thread.html#14023
On Mon, Jul 23, 2018 at 4:48 AM Dmitry Telegin <dt(a)acutus.pro> wrote:
> Hi Leonid,
>
> Grepping the Keycloak code shows that it does "know" about
> SessionNotOnOrAfter, that means is able to parse it from XML and
> get/set the value in the model. But that's all, Keycloak doesn't
> actually manipulate this attribute in any way. Seems like bug /
> missing
> feature to me, but let's see what the Keycloak devs say.
>
> Meanwhile, you could implement a custom ProtocolMapper to populate
> the
> SessionNotOnOrAfter attribute. (This could have been even easier
> had
> the script mapper existed for SAML, see KEYCLOAK-5520)
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Fri, 2018-07-20 at 11:16 +0300, Leonid Rozenblyum wrote:
> > Hello.
> > Does Keycloak support the attribute SessionNotOnOrAfter based on
> > realm
> > settings of session timeout? Maybe some another way to inform
> Service
> > Provider about the desired session end time?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>