Authentication systems, aka Identity Providers (IDP) will authenticate an individual via login and then be a resource for Service Providers (SP) to authenticate users without the need for additional login. This is commonly known as Single Sign On (SSO). Both the IDP and SP have a session timeout, as do many web based applications, Many applications also have a keepalive, where the actions of a user will trigger an extension of the session timer, keeping the members session alive. So why can't the IDP have same keepalive function as other web applications?
Because the IDP doesn't have a lot of interaction from the user after they login, the IDP doesn't have a good means to know the user is still active. This results in the IDP needing having long session times to compensate, which isn't ideal. When that timeout eventually comes, the impact is still there. To illustrate, a user of an MLS System is working on their Listing and goes to check the Tax System for information on the property. If the IDP session is still active, the uninterrupted member is authenticated into the Tax System behind the scenes. But after the IDP times out, that same click to check Tax would result in another need to login.
If the IDP and SP were to talk to each other, making the actions of the user known, this could be a way of allowing the IDP to keep its session alive. In turn, the IDP could have shorter sessions, freeing up its resources sooner after the user stops working. Essentially a keepalive ping between the SP and IDP. This could complement the existing capability in SAML (and probably OIDC) that allows an SP to tell the IDP that the user has logged out.
Having every click made by the user result in a keepalive ping from the SP to the IDP might not be the most efficient method. As an IDP is getting closer to timing out, it could ping the SP. However, there may be a large number of SPs so this might not be the most efficient means either. If the SP were to know the IDP time out time, it might limit the pings to only when it knows the IDP is about to end its session. Or, maybe the IDP could keep track of where the user has been (which SPs). As the IDP is getting close to ending the session, IDP could ping the active SPs to see if the user is still active.
Imagine working within MS Word and how frustrating it would be to see the login screen after clicking Outlook to check your mail. This might be considered minor to some and maybe the next step is a good cost/benefit discussion. Maybe this sticks in your craw and you want to go straight into a standards and implementation discussion.
All comments and conversation are welcome.
Comentarios