Scribing Template --Wed., Nov 13, 2013 at 10:15am -- Marina del Ray
TOPIC: SSO Duration
CONVENER: Eric Goodman (& Nathan Dors)
SCRIBE: Eric Kool-Brown
# of ATTENDEES: 19
MAIN ISSUES DISCUSSED:
Observed users going up to computers and having an active session from the prior user.
Concerned that a campus login session policy could be driven by a single large application service manager rather than being done with a campus-wide focus.
Campus | SSO Len | ForceAuthN | IdPLogout Uri | Why | Notes |
---|---|---|---|---|---|
Cal Poly SLO | 15 minutes | Y | Y |
|
|
UCF | 5 hour | N | Y |
|
|
ATSN | 1 hour | N | N | testing |
|
USC | 8 hour | (Y) | Y+ | full day of auth | Logout kills sessions of selected SPs |
Unicon | 8 hours + 2 hour idle time | rarely used | Y (via CAS) | ditto | Averages for campus clients |
U Iowa | 8 hours | N | N | ditto |
|
UC SC | 30 seconds | Y | N | lack of training |
|
Lafayette College | 8 hour + 2 hour idle | N | Y (via CAS) | transitioning to a login portal |
|
UW | 8 hour (+ 2 hour idle?) | Y | Y |
|
|
GWU | was 15 min, now 8 hours | N | N | evaluating |
|
Harvard | per app, max 7 days | N/A | Y | with 24 hour renewal |
|
Emory | 8h/2h or 8h/30m | Y | N | divided into sensitive versus non-sensitive SPs | sensitive: 5 s authN instance |
Tulsa | 2h | N | N |
|
|
ACM | 2h | Y | Y |
|
|
Northeastern | 8h | N | Y (via CAS) |
|
|
U of Montana | indefinite/per-app | n/a | implied Y | logs out of IdP when app exits (or browser closes) |
|
Indiana | 8 h | (8h) | Y (via CAS) | would like to move to an indefinite session with 8 h forced reauth | apps can log out directly via CAS, want to incentivise users not saving creds in browser |
Minnesota | 3 h | Y | Y | SSO length a holder from former system | if a user logs out of an app, then they need to reauth to get back to it. |
...
- Private browsing sessions are a good idea
ACTIVITIES GOING FORWARD / NEXT STEPS: