Session Handling Documentation Problem (NotOnOrAfter vs SessionNotOnOrAfter) #148
Description
Philip Lowman reports
I believe there may be a mistake in the SAML in a Nutshell documentation on Mozilla's infosec webpage here:
https://infosec.mozilla.org/guidelines/iam/saml.htmlRegarding the session handling part of the documentation, it advises the following:
"The web application (SP/RP) must invalidate the user session when the SAML SubjectConfirmationData part of the assertion reaches expiration (NotOnOrAfter) or sooner (the expiration time is a UTC timestamp such as <saml:SubjectConfirmationData NotOnOrAfter="2016-12-22T00:09:09.891Z" Recipient="https://rp.example.net/saml/response"/>)."
In mentioning this to a work colleague, he reported he hadn't heard of it. I dug further into the reference links on your SAML page.
The link "SAML 2 Session expiration" points out the confusion in SAML in this area but ultimately says that "SessionNotOnOrAfter" controls the maximum session duration of an SP.
https://stackoverflow.com/questions/29508906/notonorafter-in-subjectconfirmationdata-and-conditions-and-sessionnotonorafterThe story is similar in the mailing list thread the stackoverflow.com article links to where Scott Cantor answers appears to affirm this viewpoint:
https://lists.oasis-open.org/archives/saml-dev/201504/msg00000.htmlI'm not sure, but I think the advice on this webpage with regard to how SAML SP websites should handle session expiration is mistaken.