Authentication Reuse Limits Configuration - CSCfi/shibboleth-idp-authn-storage GitHub Wiki

Current File(s): conf/authn/storage-authn-config.xml

This page contains configuration principles on how to limit the use of existing Storage authentication result.

The default reuse limits are defined in file storage-authn-config.xml. It contains a bean AuthenticationEventLimits that has following properties to be set:

• authenticationMaxAge: Maximum time since the original authentication result was produced. If not defined anything goes.

• lastAppliedMaxAge: Maximum time since the stored result was applied successfully. If not defined anything goes.

• appliedTimesMax: Maximum times for stored result may have been applied before. If not defined anything goes.

  <bean id="AuthenticationEventLimits" parent="RPLimits" p:authenticationMaxAge="PT48H" p:lastAppliedMaxAge="PT8H" p:appliedTimesMax="10" />

Interpreted as "The stored event may not be used more than ten times, it may not be used if has not been applied within 8 hours and it may not be used after total of 48 hours.

Reuse limits may also be defined per relying party. Those are listed in RelyingPartyLimits - list.

<util:list id="RelyingPartyLimits">
    <bean id="example" parent="RPLimits" p:relyingPartyId="https://example.com" p:appliedTimesMax="5" /> 
</util:list>

The example configuration limits reuse of result to 5 times for relying party https://example.com without other restrictions.