[Fim4l] Reasonable lenght of SP's session

Bernd Oberknapp bo at ub.uni-freiburg.de
Wed Feb 26 01:26:05 CET 2020

In my experience for more complex applications the SP session itself 
doesn't play a role because it is only used to setup an application 
session, so the SP session might be very short, maybe just 30 seconds.

The application session usually has a relatively short timeout, maybe 
between 30 minutes and a few hours. Note that this session timeout is 
relevant for Unique_Item and Unique_Title metrics in COUNTER usage reports.

And there might be something like a "remember me" feature which allows 
the user to come back later and setup a new application session without 
having to authenticate again. I assume your question is about how long 
this should be possible? My recommendation would be to not offer a 
"remember me" feature in comination with FIM because (a) the IdP usually 
supports single sign-on so authenticating again should be easy (at least 
when it is easy to select the institution) and (b) this might cause 
problems when there is an incident like a mass download - after some 
time the library might no longer be able to identify the user (in our 
case: after a week).

So if Elsevier would offer a "remember me" feature and only authenticate 
users after longer periods like a month or six months, Elsevier would 
have to take responsibility for usage by users no longer affiliated with 
the institution and for incidents that might happen during this period. 
And of course this should align with the license agreements.

Best regards,

On 25.02.20 12:19, Koren, Meshna (ELS-AMS) wrote:
> Dear all,
> I have another question which I posted on another thread earlier...
>>From the library's perspective, what is a reasonable time for an SP to maintain a session for a user?
> It would have been possible for Elsevier to maintain a session for any lenght of time - but is that desirable by the libraries? Should we confirm with the library that a user is still affiliated with it whenever a user wants to access the service (such as ScienceDirect)? Or every day? Every week? Every month? Every 6 months?
> Thanks,
> Meshna
> Meshna Koren
> Associate Product Manager
> Product Management - Identity and Access - Research Products
> Elsevier BV
> Radarweg 29, Amsterdam 1043 NX, The Netherlands
> m.koren at elsevier.com<mailto:m.koren at elsevier.com>
> Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
> ________________________________
> Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
> _______________________________________________
> FIM4L mailing list
> FIM4L at lists.daasi.de
> http://lists.daasi.de/listinfo/fim4l

Bernd Oberknapp
Gesamtleitung ReDI

Albert-Ludwigs-Universität Freiburg
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg        | D-79016 Freiburg

Telefon:  +49 761 203-3852
Telefax:  +49 761 203-3987
E-Mail:   bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20200226/96a583a7/attachment-0001.p7s>

More information about the FIM4L mailing list