Extending LDP timeouts for 2fa users

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Extending LDP timeouts for 2fa users

Adam Bishop
We have 2fa implemented at the LDAP level. When a user authenticates with a token, an attribute is added to the users entry (ipaUserAuthType=otp).

Can I change the user timeout based on the presence of this LDAP attribute? i.e., if a user has authenticated with a token, give them an idle timeout of 2 hours, lifetime of 1 day instead of our default 30 minutes/2 hours.

Adam Bishop
Senior security architect (systems)

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
    t: +44 (0)1235 822 245
 xmpp: [hidden email]

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under company number. 05747339, VAT number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 02881024, VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.  

For more details on how Jisc handles your data see our privacy notice here: https://www.jisc.ac.uk/website/privacy-notice

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extending LDP timeouts for 2fa users

Cantor, Scott E.
On 2/18/20, 6:17 AM, "users on behalf of Adam Bishop" <[hidden email] on behalf of [hidden email]> wrote:

> Can I change the user timeout based on the presence of this LDAP attribute? i.e., if a user has authenticated with a
> token, give them an idle timeout of 2 hours, lifetime of 1 day instead of our default 30 minutes/2 hours.

The lifetime is static in all versions. The timeout will be effectively non-static in V4, but static in V3.
 
-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]