How long should a SAML Token be valid | ansaurus

tags:

saml

views:

44

answers:

1

+3 Q:

How long should a SAML Token be valid

has anybody an advice, how long a SAML Token should be valid (in a SOA infrastructure)? I thought of several (6-12) hours.

many thanks Markus

+2 A:

It is generally a bad idea to have such a high lifetime for your tokens, because they can theoretically be "stolen" and reused. Token issuance should not be an especially timely affair, so I would recommend that you reauthenticate your users with the STS quite often, and only let your token "live" for a few minutes.

klausbyskov 2010-02-01 12:43:29

related questions

SAML 2.0 SSO and ASP.Net

SAML assertion with username/password - what do the messages really look like?

Can you recommend a SAML 2.0 Identity Provider for test?

Anyone using Spring-ws with SAML authentication?

How do I configure WebLogic 10.3 Web App To Use SAML 2 SSO and Identity Provider?

Use gmail domain account with IMAP authentication with SAML authentication not working...

SAML Assertion consumer Service (ACS) - Suggestions on implementation

Convenient applications for Browser/POST and Browser/Artifact SAML profiles

Designing an XACML API

What is SAML?

How to implement SAML SSO

WCF Interop with Axis2 using WS-Trust

Are attributes allowed in a SAML authentication request?

Why is using a certificate, made with the MakeCert tool, in production bad?

Implementing SSO using different versions of SAML

Need info on SAML 2.0

Signing XML with Public Key Example?

Identity provider implementation of opensaml 2.0

Do we absolutely need a STS for SAML?

SAML identity provider as Java servlet filter?

Looking for feedback on a first SAML implementation.

SAML Assertion WriteXML issue in C#

SAML with .NET 2.0

Implementing Claims-Based Security (WCF/Asp.NET)

How do I deserialize a SAML assertion in Rampart/C (Axis2/C)?