Authentication timeout settings

Timeouts associated with SAML authentication are critical to both security and end user experience. For more information on the relationship of SAML timeouts with Domino, see this article.

SAML Single server session expiration

Under the Domino Web Engine tab in the Internet Site document, there is a SAML single server session expiration field. This field is specified in minutes, and indicates how long a SAML session is valid. When the SAML session expires, a connecting client is redirected to the customer’s identity provider login form to begin the SAML authentication again. Completing the login requires user input before the client can resume activity with the Traveler service. The SAML session timeout should be set as long as possible for a more seamless experience with the client. For more information on the SAML Single server session setting, see Enabling SAML authentication in Domino.

Multi-server Session Authentication expiration (SSO)

SAML support for HCL Verse mobile clients when working with a Traveler High Availability pool requires that the Traveler endpoint is enabled for Multiple Server Session Authentication using the Web SSO configuration document. When a SAML authentication is completed, a secure token is set as a cookie on the response to the client that is valid on any participating Traveler Server. The Web SSO Configuration document has a setting for the expiration of this security token. When the token expires, a connecting client is redirected to the customer’s identity provider login form. Completing the login requires user input before the client can resume activity with the Traveler service.

The token expiration should be set for as long as possible for a more seamless experience with the mobile client.

Note: In this environment, both the SAML Single server session expiration and the WeB SSO token expiration are enforced. Whichever timeout is triggered first, the client is redirected to the identity provider for a new SAML authentication. It is recommended that both values be the same.

Identity Provider SAML token expiration

The Identity provider may enforce its own SAML token expiration. Typically if a browser is redirected to the identity provider and the SAML token is still valid, the user is re-authenticated without having to supply their credentials. However, HCL Verse mobile clients do not retain any cookies exchanged with the identity provider during the SAML authentication. The effect is that no matter what the identity provider SAML token expiration is set to, the HCL Verse mobile clients require the user to re-supply their credentials.