Hi, Unfortunately, it's not possible to specify a session or inactivity timeout in the assertion.
In SAML, a session timeout use case is covered by the Single Logout Protocol (section 3.7): http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf but Google Apps does not support this. -alex On Mar 27, 10:54 am, swtet <[EMAIL PROTECTED]> wrote: > I am not even really looking for direct communication between the SP > and IdP. When I, as the IdP, send the assertion to Google, it seems > there should be something that I can add to the assertion that tells > Google that this is only valid for a certain period of time (say 30 > minutes, for example). If the user is using their Google app 31 > minutes after their identity was checked, Google would detect that and > run the browser through the assertion process again just to make sure > the user is still who they say they are and their session with the IdP > is still valid. The reason for session inactivity timeouts in our > application are because users tend to walk away from machines without > logging out or closing browsers. Do the Google apps have a concept of > inactivity timeouts or is it that once you are in, you are in? > > On Mar 27, 3:19 am, "Alex (Google)" <[EMAIL PROTECTED]> wrote: > > > Hi, > > > The Google Apps implementation of SAML doesn't allow for direct > > communcation between SP and IdP. It uses HTTP bindings, i.e. it > > relies on the browser to be the conduit of messages between SP and > > IdP. SAML is used very limitedly, only for sign in. There isn't even > > a sign out service. > > > One workaround is to launch Google Apps in a new window or tab, and > > have a keep-alive web application which signs the user out (e.g. > > forwards to a Google Apps sign out URL) if the IdP invalidates the > > user. It's not foolproof since the user could simply close the keep- > > alive page. > > > -alex > > > On Mar 25, 7:35 am, swtet <[EMAIL PROTECTED]> wrote: > > > > When using SAML SSO, is there something that I can put in the response > > > that will cause Google to validate the users identity again at a > > > certain time? As the identity provider, I keep track of inactivity so > > > I would like the Google apps to check back on occassion to make sure > > > the user is still valid. Since I am fairly new to SAML, does this > > > type of thing make sense to do or is there another way to accomplish > > > this? If this is not the SAML way, any explanation about that would > > > be helpful as well.- Hide quoted text - > > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Apps APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/google-apps-apis?hl=en -~----------~----~----~----~------~----~------~--~---
