
In my experience for more complex applications the SP session itself doesn't play a role because it is only used to setup an application session, so the SP session might be very short, maybe just 30 seconds.
The application session usually has a relatively short timeout, maybe between 30 minutes and a few hours. Note that this session timeout is relevant for Unique_Item and Unique_Title metrics in COUNTER usage reports.
And there might be something like a "remember me" feature which allows the user to come back later and setup a new application session without having to authenticate again. I assume your question is about how long this should be possible? My recommendation would be to not offer a "remember me" feature in comination with FIM because (a) the IdP usually supports single sign-on so authenticating again should be easy (at least when it is easy to select the institution) and (b) this might cause problems when there is an incident like a mass download - after some time the library might no longer be able to identify the user (in our case: after a week).
So if Elsevier would offer a "remember me" feature and only authenticate users after longer periods like a month or six months, Elsevier would have to take responsibility for usage by users no longer affiliated with the institution and for incidents that might happen during this period. And of course this should align with the license agreements.
Best regards, Bernd
On 25.02.20 12:19, Koren, Meshna (ELS-AMS) wrote:
Dear all,
I have another question which I posted on another thread earlier...
From the library's perspective, what is a reasonable time for an SP to maintain a session for a user?
It would have been possible for Elsevier to maintain a session for any lenght of time - but is that desirable by the libraries? Should we confirm with the library that a user is still affiliated with it whenever a user wants to access the service (such as ScienceDirect)? Or every day? Every week? Every month? Every 6 months?
Thanks, Meshna
Meshna Koren
Associate Product Manager Product Management - Identity and Access - Research Products
Elsevier BV Radarweg 29, Amsterdam 1043 NX, The Netherlands m.koren@elsevier.commailto:m.koren@elsevier.com
Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
FIM4L mailing list FIM4L@lists.daasi.de http://lists.daasi.de/listinfo/fim4l