Wednesday, May 29, 2013

Configuring SSO session timeout in WSO2 Identity Server 4.5.0

One of the key features in WSO2 Identity Server  is SAML2 based single sign on (SSO) feature. The default time period for a SSO session is 10 hours in the Identity Server versions so far and this default SSO Session Expire time value can not be changed according to the user needs. But from WSO2 IS 4.5.0 onwards the SSO session timeout can be configured at the server start time.

This configuration lies on <IS_HOME>/repository/conf/identity.xml file under the SSOService element. Add the following entry under that in order to explicitly add the SSO timeout.

<SSOService>
<SessionTimeout>120</SessionTimeout>  // Add the expecting timeout value in seconds here.
</SSOService>


Save the configuration and restart the server. Now the SSO session will be timed out as the newly configured value and a user may need to re-authenticate once he logs back after this timeout. It is not a must to have this entry in 'identity.xml' and if a timeout is not configured, the SSO session will use the '10 hours (36000s)' default time out value.

After configuring the SSO Session Expire time you can use this article in order to setup Single Sign On with WSO2 Identity Server.

4 comments:

  1. could you please let us know where i can download WSO2 Identity Server 4.5.0?

    ReplyDelete
  2. Hi,

    The 4.5.0 final release has not yet been out and it is expected to be released in mid July. The alpha version of WSO2 Identity Server 4.5.0 will be released within few weeks and i will be pointing the link here once it is available.

    ReplyDelete
  3. Thanks for these information about the SSO. Save the configuration modifications and restart the server. Now the SSO session is timed out as the newly configured value and users may need to be re-authenticated once the session times out. It is not a must to have this entry in 'identity.xml' and if a timeout is not configured, the SSO session uses the '10 hours (36000s)' default timeout value.


    Single sign-on server

    ReplyDelete
  4. Hi Ishara,
    thanks for this article.
    I have a question: what happens when SSO session timeout occurs? The IDP will send a logout request to all other SP, as happens when a SingleLogout request is sent by (one of) SP ?
    I ask this question because I've implemented a java filter that looks only if a "SAMLResponse" (that might contain SPLogoutRequest) or "IDPLogoutRequest" is present, otherwise provides the resource to the user or authenticate it.
    In this scenario, if sso session timeout occurs i will find out?
    Unfortunately at the moment i can't configure my wso2is for make a test because I haven't administrator privileges.
    Thanks in advances, greets!

    ReplyDelete