Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Kristof,

As a potential workaround, I wonder if the restriction is only at UI.  Perhaps it would be worth capturing the REST call that updates the federation config and then replay this with the value set to 0.

If that works, you probably need to open a case to get the UI restriction removed.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Hi John,

I did try it through the REST API, but it also rejects the value of 0. In fact, I did it through the REST API first but took the screenshot because it's more obvious what setting I am talking about in there :)

Kind regards,
   Kristof Goossens

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Wed July 17, 2019 03:26 AM
From: Jon Harry
Subject: sessionNotOnOrAfter in SAML authnresponse

Kristof,

As a potential workaround, I wonder if the restriction is only at UI.  Perhaps it would be worth capturing the REST call that updates the federation config and then replay this with the value set to 0.

If that works, you probably need to open a case to get the UI restriction removed.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Ok. Then I'm afraid I don't know.  Let's hope someone else can help - otherwise get a case open.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed July 17, 2019 03:33 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi John,

I did try it through the REST API, but it also rejects the value of 0. In fact, I did it through the REST API first but took the screenshot because it's more obvious what setting I am talking about in there :)

Kind regards,
   Kristof Goossens

------------------------------
Kristof Goossens

Original Message:
Sent: Wed July 17, 2019 03:26 AM
From: Jon Harry
Subject: sessionNotOnOrAfter in SAML authnresponse

Kristof,

As a potential workaround, I wonder if the restriction is only at UI.  Perhaps it would be worth capturing the REST call that updates the federation config and then replay this with the value set to 0.

If that works, you probably need to open a case to get the UI restriction removed.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Hi Kristof,

Currently ISAM Federation module SAML2 IdP always generate SAML2 Assertion with 'SessionNotOnOrAfter' in 'AuthnStatement', I don't have any work around to omitting it in SAML2 Assertion.
Based on SAML2 spec, 'SessionNotOnOrAfter' is an optional attribute, the supporting of omitting 'SessionNotOnOrAfter' in SAML2 Assertion will needs RFE process.

Best Regards

Yongming

------------------------------
Yongming Chen
------------------------------

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Hi Yongming,

Thx for your response. I opened a support case for this. I'll send them the link of this page and ask them if they agree with your statement. If they do, I'll indeed create an RFE and ask the community to file a similar one to upvote the functionality in order to get it asap planned for a future release ;-)

Kind regards

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Thu July 18, 2019 02:58 AM
From: Yongming Chen
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi Kristof,

Currently ISAM Federation module SAML2 IdP always generate SAML2 Assertion with 'SessionNotOnOrAfter' in 'AuthnStatement', I don't have any work around to omitting it in SAML2 Assertion.
Based on SAML2 spec, 'SessionNotOnOrAfter' is an optional attribute, the supporting of omitting 'SessionNotOnOrAfter' in SAML2 Assertion will needs RFE process.

Best Regards

Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Update:

I filed a support case and this seems to be an input validation issue. Any value < 300 is rejected. However, if you manage to bypass the input and directly change the configuration - which is not supported! - putting a value of 0 does have the desired effect (sessionNotOnOrAfter attribute is not present) in the SAML response.

Support will now talk to 3th line to see whether this is a defect or an RFE is required.

Kind regards

------------------------------
Kristof Goossens
------------------------------

Original Message:
Sent: Thu July 18, 2019 04:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi Yongming,

Thx for your response. I opened a support case for this. I'll send them the link of this page and ask them if they agree with your statement. If they do, I'll indeed create an RFE and ask the community to file a similar one to upvote the functionality in order to get it asap planned for a future release ;-)

Kind regards

------------------------------
Kristof Goossens

Original Message:
Sent: Thu July 18, 2019 02:58 AM
From: Yongming Chen
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi Kristof,

Currently ISAM Federation module SAML2 IdP always generate SAML2 Assertion with 'SessionNotOnOrAfter' in 'AuthnStatement', I don't have any work around to omitting it in SAML2 Assertion.
Based on SAML2 spec, 'SessionNotOnOrAfter' is an optional attribute, the supporting of omitting 'SessionNotOnOrAfter' in SAML2 Assertion will needs RFE process.

Best Regards

Yongming

------------------------------
Yongming Chen

Original Message:
Sent: Wed July 17, 2019 03:08 AM
From: Kristof Goossens
Subject: sessionNotOnOrAfter in SAML authnresponse

Hi community,

The session lifetime on an IDP can be communicated to the SP in a sessionNotOnOrAfter attribute of the authnstatement in a SAML authentication response.

In TFIM one could prevent it from being included in the SAML response by specifying a value of 0 as the session lifetime.

In the federation module of ISAM9, it seems 0 is no longer a valid value (cfr attached screenshot).
Does anybody know how to prevent the sessionNotOnOrAfter attribute of the authnstatement in the SAML response?

The context in which this is relevant is that some SP implementations take that value as a guide for their session timeout and there seems to be no way to overwrite it. We would like to have the teams responsible for the SP config to have control over their own session timeout.
This was possible in TFIM, but I don't know if (or how) it is possible in ISAM9.

Kind regards

------------------------------
Kristof Goossens
------------------------------