[keycloak-user] (no subject)

Jared Blashka jblashka at redhat.com
Thu Oct 27 10:03:52 EDT 2016


It's not quite the solution you want, but the SAML spec supports having a
SesssionNotOnOrAfter attribute that indicates the max length of time an SP
should have the session last. Currently Keycloak isn't including this
attribute though (see my failed MR
https://github.com/keycloak/keycloak/pull/3250)

Jared

On Thu, Oct 27, 2016 at 9:23 AM, Josh Cain <jcain at redhat.com> wrote:

> Interesting - and what of the SAML Use case?  Typically SAML SP's are
> going to consume the assertion and then establish a session with the
> end user.  Seems like a valid use case to notify these consumers so
> that there aren't lingering sessions if their expiry happens to be
> longer than the IDP.
> On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote:
> > No, there is no notification in this case. Only if user or admin
> > actively
> > logs out the session.
> >
> > As access tokens have short expiration the applications would notice
> > the
> > session idle in either case when trying to refresh the token, so I
> > don't
> > think it's needed.
> >
> > On 27 October 2016 at 11:29, Rickard Östergård <rickard.ostergard at gma
> > il.com>
> > wrote:
> >
> > >
> > > Hi,
> > >
> > > I have a question about user session expiration.
> > >
> > > When the SSO Session Idle or SSO Session Max times are reached the
> > > auth
> > > server will invalidate the user session. Will the clients that have
> > > initiated these session be notified? Hence, are the clients logged
> > > out (via
> > > the admin url) when the auth server expires a user session?
> > >
> > > If not, is this a feature that will be implemented in coming
> > > releases ?
> > >
> > > Best regards,
> > > Rickard
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list