[security-dev] SP side Http session time-out period

Hi, If I used ServiceProviderAuthenticator as my SP side, once a valid assertion comes back from IDP, and SP checked the assertion and created the local HttpSession (it is an HttpSession, right ?), what is that session's time-out period ? Is it configurable ? Thanks, Adam