Scribing Template --Wed., Nov 13, 2013 at 10:15am -- Marina del Ray
TOPIC: SSO Duration
CONVENER: Eric Goodman (& Nathan Dors)
SCRIBE: Eric Kool-Brown
# of ATTENDEES: 19
MAIN ISSUES DISCUSSED:
Observed users going up to computers and having an active session from the prior user.
Concerned that a campus login session policy could be driven by a single large application service manager rather than being done with a campus-wide focus.
Campus |
SSO Len |
ForceAuthN |
IdPLogout Uri |
Why |
Notes |
|---|---|---|---|---|---|
Cal Poly SLO |
15 minutes |
Y |
Y |
|
|
UCF |
5 hour |
N |
Y |
|
|
ATSN |
1 hour |
N |
N |
testing |
|
USC |
8 hour |
(Y) |
Y+ |
full day of auth |
Logout kills sessions of selected SPs |
Unicon |
8 hours + 2 hour idle time |
rarely used |
Y (via CAS) |
ditto |
Averages for campus clients |
U Iowa |
8 hours |
N |
N |
ditto |
|
UC SC |
30 seconds |
Y |
N |
lack of training |
|
Lafayette College |
8 hour + 2 hour idle |
N |
Y (via CAS) |
transitioning to a login portal |
|
UW |
8 hour (+ 2 hour idle?) |
Y |
Y |
|
|
GWU |
was 15 min, now 8 hours |
N |
N |
evaluating |
|
Harvard |
per app, max 7 days |
N/A |
Y |
with 24 hour renewal |
|
Emory |
8h/2h or 8h/30m |
Y |
N |
divided into sensitive versus non-sensitive SPs |
sensitive: 5 s authN instance |
Tulsa |
2h |
N |
N |
|
|
ACM |
2h |
Y |
Y |
|
|
Northeastern |
8h |
N |
Y (via CAS) |
|
|
U of Montana |
indefinite/per-app |
n/a |
implied Y |
logs out of IdP when app exits (or browser closes) |
|
Indiana |
8 h |
(8h) |
Y (via CAS) |
would like to move to an indefinite session with 8 h forced reauth |
apps can log out directly via CAS, want to incentivise users not saving creds in browser |
Minnesota |
3 h |
Y |
Y |
SSO length a holder from former system |
if a user logs out of an app, then they need to reauth to get back to it. |
Grey Heller for PeopleSoft ERP Firewall enforcing MFA on certain resources/actions
USC: Some apps can ask for a special IdP auth that isn't SSO, doesn't allow session token to apply to other apps
Emory is using Service Now KB articles to describe session lengths (for app dev audience).
Logout UI guidelines
- Use SLO config in 2.4. Does the page list open sessions?
- Browsers are now persisting session cookies after closing the browser which complicates the issue
- Browser saved credentials breaks most of the desired logout security
Want logouts to not happen if non-sensitive apps based on SP
Logout is a complex concept but really only critical in a small number of cases. Sensitive apps can control the logout behavior WRT their session. Difficult to generalize to all sessions and difficult for users to understand if not tightly scoped.
User Education Resources?
- Private browsing sessions are a good idea
ACTIVITIES GOING FORWARD / NEXT STEPS: