SessionNotOnOrAfter parameter Causing Timeout on SP

Document ID : KB000039475
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue/Problem/Symptoms: 

- Siteminder behaving as IDP with SP as a third party 

- Assertion is getting generated by Siteminder with SessionNotOnOrAfter parameter included

- SP consuming the assertion containing the SessionNotOnOrAfter parameter which is causing the SP to terminate the session after 5 min 

How can SessionNotOnOrAfter be turned off ?

 

Environment:  

Policy server version -->12.5 CR02 

Cause: 

N/A

Resolution/Workaround:

When the Policy Server IdP sends an assertion, by default it includes the SessionNotOnOrAfter parameter in the Authentication statement of the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values. The timeout values determine when a user session becomes invalid, which sends the user to reauthenticate at the IdP.

The SessionNotOnOrAfter parameter is NOT to be confused with the NotOnOrAfter parameter used to determine assertion validity and skew time.

To customize the SessionNotOnOrAfter parameter

  1.  Log on to the UI.
  2. Select the Service Provider entry that you want to modify.
  3. Navigate to the Advanced tab.
  4. Select the Customize Validity duration in the Advanced SSO Configuration section of the dialog.The Customize Validity duration dialog displays.
  5. Select a value for the SP Session Validity Duration. The value that you enter is the value of the SessionNotOnOrAfter parameter in the assertion.

   The options are:

  • Use Assertion Validity --> Calculates the SessionNotOnOrAfter value that is based on the assertion validity duration.
  • Omit --> Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion.
  • IDP Session --> Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the         authentication URL. Using this option can synchronize the IdP and SP session timeout values.
  • Custom --> Lets you specify a custom value for the SessionNotOnOrAfter parameter in the assertion. If you select this option, enter a time in the Customize Assertion Session Duration field

     6. Click OK to save the changes.