Menu
I'm trying to configure session timeout using WSO IS 5.1.0.
I have one Service Provider, which has session timout 10 minutes.
I've configured SSO sesison timeot to 10 minutes in WSO2 is using Managment console on Resident Identity Provider section.
I don't know why, but the global configuration (<IS_HOME>/repository/conf/identity/identity.xml file under the <TimeConfig> element) doesn't work.
After local session timeout, user is redirected to the SSO login page, so it seems like global session is invalidated. But if you type the app url in browser (again), user is redirected to the login page, reauthenticated automatically, and redirected to the last visited page. Why the first time user gets to the SSO login page, and after that - not? Expected behavior is that user should't be reauthenticated after global session expired.
So, the scenario is:
- User goes to Service provider's home page and gets redirected to SSO login page
- User do login on SSO login page
- After some time SSO Session expires;
- Service provider's session expires as well
- user goes to some Service Provider's page and get's redirected to the SSO login page (it seems like at this point SSO session is somehow recreated)
- user tries again to go to Service Provider's page and he is magically reathenticated (because session was recreated).
I will appreciate if you at least comment this flow, I'm now sure if I understand how it works
673
I tested the same with WSO2 IS 5.1.0 version, and the issue that you have noted exists. While going through, I noted that this also has been caused due to the issue noted at IDENTITY-4537 on timestamp calculation logic. This has been fixed in the coming release, WSO2 IS 5.2.0
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
