It's not quite the solution you want, but the SAML spec supports having a
SesssionNotOnOrAfter attribute that indicates the max length of time an SP
should have the session last. Currently Keycloak isn't including this
attribute though (see my failed MR
On Thu, Oct 27, 2016 at 9:23 AM, Josh Cain <jcain(a)redhat.com> wrote:
Interesting - and what of the SAML Use case? Typically SAML SP's
going to consume the assertion and then establish a session with the
end user. Seems like a valid use case to notify these consumers so
that there aren't lingering sessions if their expiry happens to be
longer than the IDP.
On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote:
> No, there is no notification in this case. Only if user or admin
> logs out the session.
> As access tokens have short expiration the applications would notice
> session idle in either case when trying to refresh the token, so I
> think it's needed.
> On 27 October 2016 at 11:29, Rickard Östergård <rickard.ostergard@gma
> > Hi,
> > I have a question about user session expiration.
> > When the SSO Session Idle or SSO Session Max times are reached the
> > auth
> > server will invalidate the user session. Will the clients that have
> > initiated these session be notified? Hence, are the clients logged
> > out (via
> > the admin url) when the auth server expires a user session?
> > If not, is this a feature that will be implemented in coming
> > releases ?
> > Best regards,
> > Rickard
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user mailing list
keycloak-user mailing list