I’m building SAML 2.0 based authentication to a web application. The authentication is done against an WSO2 Identity Server (WSO2-IS). I have managed to get the actual authentication working using HTTP redirects. However now I’m having issues trying to “refresh” the authentication information from the Identity Server.
The problem is that the assertions the WSO2-IS is returning have only a lifetime of 5 minutes. So based on this, I should get a new assertion from the WSO2-IS every 5 minutes. However I have found no other way to do this against the WSO2-IS than doing yet another round of redirects. Redirecting the user somewhere else every five minutes is not very user friendly.
SAML 2.0 specifies an AuthnQuery request, which is supposed to be done using SOAP over HTTP. If I’ve understood correctly, the AuthnQuery would be exactly what I need to re-request assertion information for the user, but to me it seems that the WSO2-IS does not support this request.
So, the question is, how would I be able to refresh (or re-request) the assertion information from the WSO2 Identity Server without having to redirect the user away from the page they are currently accessing?
The answer is to be found in the SAML proile speciefication under Web browser SSO profile -> Usage and Message Processing Rules.
NotOnOrAfter is the time at which the message has to have been delivered.
What you should consider is the attribute
SessionNotOnOrAfterinAuthnStatementif it is present.SAML profile spec