How can an SP reset a session timer at the IDP?
The SAML specs do not specify a method for doing this, or in fact require any form of timeout at an IdP.
One proposition is to use an authnrequest message with isPassive set.
The following table lists IDP products which refresh the IDP session timer upon receipt of a valid isPassive authnrequest with a success response. Other notes can be added if there are additional methods.
Product/Service |
Source |
isPassive() refreshes IDP timeout |
|---|---|---|
Ubisecure SSO |
Keith |
|
Shibboleth |
Scott |
No idle timeout is enforced, only an absolute lifetime on authn methods |
CA Siteminder |
Denny |
|
Microsoft ADFS 2 |
Thomas |
Yes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Custom refresh URL also available