SAML protocol settings - Fluid Topics - 4.3

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
Latest

In the SAML protocol settings section of the New realm drawer, it is possible to modify the SSO session's maximum authentication lifetime. When this lifetime expires, the user is logged out of the SSO session and must enter their credentials again in order to authenticate and begin a new SSO session.

The SAML protocol settings section is not immediately displayed in the New realm drawer. It appears after importing an Identity provider metadata XML file.

If the value defined in the SAML provider's UI for this parameter is different, it is necessary to modify the value in the Fluid Topics UI so that the two values match.

Recommended values

When Fluid Topics is able to detect which SAML provider is being integrated with Fluid Topics, it automatically populates the maximum authentication lifetime field with the most suitable value for that provider. The following table indicates the recommended value for each provider:

SAML provider Recommended value (in seconds)
ADFS 28800
Google Workspace 1209600
Okta 2592000
Keycloak 7776000
Azure At least 1209600 (the equivalent of 14 days) and up to 7776000 (the equivalent of 90 days)

Exceptionally for ADFS, defining the value of the maximum authentication parameter as exactly 28800 is mandatory. Any other value will result in an invalid configuration.

If Fluid Topics is unable to detect the SAML provider, it defines a default value of 77760000 as follows:

The default value for the IDP maximum authentication protocol is 7776000.

FT sessions and SSO sessions

The maximum authentication lifetime which triggers an SSO session timeout is different from that which triggers a Fluid Topics user session timeout. Each serves a distinct purpose, and their values are usually different. However, the two parameters do work together, as illustrated by the following scenario:

  1. An administrator has configured Fluid Topics to trigger a user session timeout after 30 minutes of inactivity. Consequently, the user is not disconnected from the portal as long as some activity has been registered during the last 30 minutes. "Activity" is defined as a request to the Fluid Topics server (for example, when the user selects an item, launches a search request, scrolls through a document, etc.)

  2. The administrator is configuring a SAML realm. To this end, they have chosen to integrate Fluid Topics with the Active Directory Federation Services (ADFS) component.

  3. In the ADFS UI, the maximum authentication lifetime has been defined as 28800 seconds. The administrator must enter this same value in the SAML protocol settlings section of the Fluid Topics UI in order to make Fluid Topics aware of the ADFS settings.

  4. All users who authenticate via the SAML realm's SSO mechanism are not required to authenticate again for 28800 seconds, or the duration of the SSO session.

  5. Fluid Topics and the SSO provider communicate to know if either the FT session or the SSO session has expired.

  6. If the SSO session has not expired, Fluid Topics displays a message stating that the user has been disconnected. The user will be prompted to click to reconnect, and they will be able to pick up where they left off before being disconnected. They will not need to enter credentials to authenticate. The SSO session is the same as before, but the FT session is a new one.

  7. If the SSO session has expired, the user is prompted to enter their credentials again to authenticate. Both the SSO session and the FT session are new sessions.

In compliance with the OWASP Foundation's guidelines, Fluid Topics opens a new session after the previous one expires in order to prevent a session fixation attack.