4:29 a.m.
Hi,
I have a question about user session expiration.
When the SSO Session Idle or SSO Session Max times are reached the auth
server will invalidate the user session. Will the clients that have
initiated these session be notified? Hence, are the clients logged out (via
the admin url) when the auth server expires a user session?
If not, is this a feature that will be implemented in coming releases ?
Best regards,
Rickard
5:15 a.m.
No, there is no notification in this case. Only if user or admin actively
logs out the session.
As access tokens have short expiration the applications would notice the
session idle in either case when trying to refresh the token, so I don't
think it's needed.
On 27 October 2016 at 11:29, Rickard Östergård <rickard.ostergard(a)gmail.com>
wrote:
Hi,
I have a question about user session expiration.
When the SSO Session Idle or SSO Session Max times are reached the auth
server will invalidate the user session. Will the clients that have
initiated these session be notified? Hence, are the clients logged out (via
the admin url) when the auth server expires a user session?
If not, is this a feature that will be implemented in coming releases ?
Best regards,
Rickard
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:23 a.m.
Interesting - and what of the SAML Use case? Typically SAML SP's are
going to consume the assertion and then establish a session with the
end user. Seems like a valid use case to notify these consumers so
that there aren't lingering sessions if their expiry happens to be
longer than the IDP.
On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote:
No, there is no notification in this case. Only if user or admin
actively
logs out the session.
As access tokens have short expiration the applications would notice
the
session idle in either case when trying to refresh the token, so I
don't
think it's needed.
On 27 October 2016 at 11:29, Rickard Östergård <rickard.ostergard@gma
il.com>
wrote:
>
> Hi,
>
> I have a question about user session expiration.
>
> When the SSO Session Idle or SSO Session Max times are reached the
> auth
> server will invalidate the user session. Will the clients that have
> initiated these session be notified? Hence, are the clients logged
> out (via
> the admin url) when the auth server expires a user session?
>
> If not, is this a feature that will be implemented in coming
> releases ?
>
> Best regards,
> Rickard
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
9:03 a.m.
It's not quite the solution you want, but the SAML spec supports having a
SesssionNotOnOrAfter attribute that indicates the max length of time an SP
should have the session last. Currently Keycloak isn't including this
attribute though (see my failed MR
https://github.com/keycloak/keycloak/pull/3250)
Jared
On Thu, Oct 27, 2016 at 9:23 AM, Josh Cain <jcain(a)redhat.com> wrote:
Interesting - and what of the SAML Use case? Typically SAML SP's
are
going to consume the assertion and then establish a session with the
end user. Seems like a valid use case to notify these consumers so
that there aren't lingering sessions if their expiry happens to be
longer than the IDP.
On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote:
> No, there is no notification in this case. Only if user or admin
> actively
> logs out the session.
>
> As access tokens have short expiration the applications would notice
> the
> session idle in either case when trying to refresh the token, so I
> don't
> think it's needed.
>
> On 27 October 2016 at 11:29, Rickard Östergård <rickard.ostergard@gma
> il.com>
> wrote:
>
> >
> > Hi,
> >
> > I have a question about user session expiration.
> >
> > When the SSO Session Idle or SSO Session Max times are reached the
> > auth
> > server will invalidate the user session. Will the clients that have
> > initiated these session be notified? Hence, are the clients logged
> > out (via
> > the admin url) when the auth server expires a user session?
> >
> > If not, is this a feature that will be implemented in coming
> > releases ?
> >
> > Best regards,
> > Rickard
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2967
days inactive
2967
days old
3 comments
4 participants
participants (4)
-
Jared Blashka -
Josh Cain -
Rickard Östergård -
Stian Thorgersen