The ST generally should have a lifetime measured in seconds. Since it is single use, it doesn't really make sense to issue one, have a client hold on to it for an hour, and finally use it. The lifetime should generally reflect the anticipated network time for the client to receive the ST and validate it.
For the TGT, you can set that however long makes sense for your SSO sessions. 2 hours works for my organization. You may need a longer time measured in days or weeks, I guess, but it seems like users should be using something like a password manager if they can't log in at least once a day? It really depends on the policies in your organization. Thanks, Carl Waldbieser On Wed, Jul 27, 2022 at 3:16 PM Pablo Vidaurri <[email protected]> wrote: > Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is > requesting to enable certain parts of their site (protected) to include a > longer ST (for weeks) while maintaining a 2hr session for other secured > parts like "Account/Profile". > > I understand the application needs to change, but is there anything on the > CAS side that I can do to help in this effort? > > Would JWT help? When a user successfully logs in, issue a JWT good for 4 > weeks with user's credentials. Now lets assume the TGT/ST are no longer > valid and the user is trying to access part of the site where not logging > is not required for days (protected area). The JWT would then be used to > auto login the user. Achievable or pure abuse? > > Also considered increasing the TGT TTL for weeks and creating separate > services to define an > AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of > 2hrs/8hrs, etc but this this means certain parts of the site need to be > under specific URL patterns. > > Any suggestions? > > -psv > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOGtu-KaHTBxre3wq8A5YcB173sSwc7ux%3D5m3TPDE_iLw%40mail.gmail.com.
