[
https://issues.apache.org/jira/browse/FEDIZ-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13466705#comment-13466705
]
Oliver Wulff commented on FEDIZ-20:
-----------------------------------
The IDP first requests a token from the STS for the successful authentication.
Then this token is stored in the session. For every RP (application) token it
requests a new token on-behalf-of the cached token.
You can configure the cache time in the init parameter
'token.internal.lifetime'. Default 2 hours.
I've raised FEDIZ-28 to logout/terminate the session with the IDP.
> IDP should maintain authentication state
> ----------------------------------------
>
> Key: FEDIZ-20
> URL: https://issues.apache.org/jira/browse/FEDIZ-20
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Juan Manuel CABRERA
> Assignee: Oliver Wulff
>
> The IDP relies on the browser to cache the end user's credentials (classical
> way to work for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the
> browser.
> The IDP should maintain these credentials (or better : the proof that these
> credentials were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then
> be capable of removing it from the session, effectively killing the
> authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
