The maxAuthenticationLifetime parameter defined in the conf.json configuration file is not used to set the lifetime of the authentication token in Fluid Topics, but rather to provide information about the authentication lifetime configured on the side the Identity Provider (IdP).
The value of this parameter on the Service Provider (SP) side must always match the value of the parameter on the IdP side.
Principles
Authentication lifetimes are based on the following principles:
- SAML (IdP) has an authentication lifetime of n hours. Consequently, a user is not required to authenticate again for n hours.
- The Fluid Topics (SP) sessionId lasts 30 minutes. Consequently, a user is not disconnected from the portal as long as some activity has been registered in the last 30 minutes. "Activity" is defined as a request to the Fluid Topics server (e.g., when the user selects an item, launches a search request, scrolls through a document, etc.)
- The SP and the IdP communicate to know if the authentication lifetime is expired, either on the IdP or the SP side.
- When the SP sessionId has expired (30 minutes have passed without activity), the IdP will check to see if n hours have passed on the IdP side.
- If the IdP authentication lifetime is still up: sessionId is automatically renewed for another 30 minutes.
- If the IdP authentication lifetime has expired: the user is prompted to authenticate.
Recommended values
To prevent user sessions from timing out unexpectedly, it is necessary to use one of the recommended maxAuthenticationLifetime values as follows:
Platform | Recommended value for the maxAuthenticationLifetime (in seconds) |
28800 | |
Google Workspace | 1209600 |
Okta | 2592000 |
Azure | At least 1209600 (the equivalent of 14 days) and up to 7776000 (the equivalent of 90 days) |