The SAML web site is not longer accepting new posts. Information on this page is preserved for legacy purposes only. For current information on SAML, please see the OASIS Security Services Technical Committee Wiki.

idle timeout?


Is logout due to idle timeout a part of SAML. I read the specs, and it only says that single logout can be initiated due to timeout, but how would that really work? Wouldn't the IdP have to ask every SP if they agree to logout the user due to timeout? 

The IdP control's its "session" with the user, so if the IdP has some idle timer, the IdP could send an SLO message to any SPs for which the IdP authenticated the user during the current session.

That said, however, good idle timeout in an SSO environment would require some capabilities that is not currently defined in SAML. These include:

  • the IdP needs a way to advertise that it supports idle timeout and request that SPs report on non-idleness as well as the frequency required of such reporting.
  • the SPs need a way to report non-idleness to the IdP.
  • The SPs need a way to advertise that they support and will send non-idleness messages.
  • etc., etc.

That does not exist in SAML today.

I don't recall anything in the standard that says logout can be initiated due to timeout or what it would mean, but there is no support in the standard for distributed timeout management. Focus Areas: BPEL | DITA | ebXML | IDtrust | OpenDocument | SAML | UBL | UDDI
OASIS sites: OASIS | Cover Pages | | AMQP | CGM Open | eGov | Emergency | IDtrust | LegalXML | Open CSA | OSLC | WS-I