SSO über ADFS zusätzliche Einstellungen

Aus hilfma.at
Zur Navigation springen Zur Suche springen

maxAuthenticationAge: system allows users to single sign-on for up to 7200 seconds (2 hours) since their initial authentication with the IDP (based on value AuthInstance of the Authentication statement). Some IDPs allow users to stay authenticated for longer periods than this and you might need to change the default value by setting parameter maxAuthenticationAge.

maxAssertionTime: validity of assertions processed during the single sign-on process (based on value IssueInstant of Assertion). Default value is 3000 seconds (50 minutes).

responseSkew: as clocks between IDP and SP machines may not be perfectly synchronized a tolerance of 60 seconds is applied for time comparisons. The tolerance value (time skew) can be customized by setting parameter responseSkew. In order to put changes into effect, in the SAML configuration file on the server running Tagetik (see Tagetik Server Configuration paragraph in Tagetik SAML manual) it is possible to (optionally) set following properties to override default values for validity time intervals:

tgk.saml.maxAuthenticationAge=

tgk.saml.maxAssertionTime=

tgk.saml.responseSkew=

Some notes about that: The value is in seconds (possible 90*24*3600) The value must be a valid positive number. There is no way to express an unlimited value

Values can be either set in saml.config or as JAVA_OPTS in the standalone.conf.bat - but mind the maximum length of environment variables in Windows (2047 or 8191 digits)