This page presents different possible scenarios that differ in the way on how the session timeout are configured and sessions refreshed. The purpose is to try to explain the intricacies of multi-level timeouts.

Using SAML SP and not refreshing SSO session

The most typical case is to have the SSO session get a timeout before the application session. This is quite typical as the application session usually has a sliding window, i.e., when user's web browser sends requests to the application the application session refreshes.

...

Using SAML SP and refreshing SSO session

The only difference in this scenario compared to the first one is that now we use some of the SSO session refresh mechanisms in the end-user application. Figure 3 shows a situation, where user first logs in and is taken to Ubisecure SSO for authentication. At this point the SSO session is created. Application session gets created when user is taken to the application after successful login. Application session is refreshed with every request to the application thereafter.

...

Using Web Server Filter and not refreshing SSO session

In this scenario a web server filter is used in front of the application. Web server filters have their own SSO session timeout and don't know anything about the application session whereas SAML SP doesn't have any session timeout and it knows about the application session. Because the web server filter acts as a proxy to the application, every request to the application goes through it. This will result in every request refreshing the web application SSO session (see Figure 4).

...

Using Web Server Filter and refreshing SSO session

This scenario is otherwise similar to the scenario in previous chapter, but the SSO session is now refreshed from the application. This refreshing will result in the SSO session lasting longer than the application and web application sessions and thus when web application session ends, no re-authentication is needed from the user to continue using the application (see Figure 7).

...