Home > Mobile >  SAML response without expiration time
SAML response without expiration time

Time:07-24

The code I work on is to using 3rd party IdP and using the SAML token to access my API on server side.

In a case of the 3rd party IdP SAML response doesn't have an expiration time. Does it mean the 3rd party IdP authenticate the user until the user doing any logout behavior?

CodePudding user response:

Normally a SAML Assertion includes a

<saml2:Conditions NotBefore="2022-07-13T00:28:11.616Z"
                      NotOnOrAfter="2022-07-13T00:38:11.616Z">

This is the time span that the assertion may be relied upon. It is valid during that period. If the condition does not exist the provider is saying rely on it anytime.

From a security point of view you should only trust the assertion for a small window of time to login the the user. So if NotOnOrAfter is not included your application should pick a reasonable short time (10 minutes).

However, that is only the length of time that you are trusting that the IdP was able to properly validate the user. You then need to decide how long the user's session can remain logged in before you log them out or force another authentication request.

I believe that last part is the main part of your question and that session maximum time is a decision you need to make for application/api.

  • Related