[Fim4l] Reasonable lenght of SP's session
Bernd Oberknapp
bo at ub.uni-freiburg.de
Wed Feb 26 01:26:05 CET 2020
In my experience for more complex applications the SP session itself
doesn't play a role because it is only used to setup an application
session, so the SP session might be very short, maybe just 30 seconds.
The application session usually has a relatively short timeout, maybe
between 30 minutes and a few hours. Note that this session timeout is
relevant for Unique_Item and Unique_Title metrics in COUNTER usage reports.
And there might be something like a "remember me" feature which allows
the user to come back later and setup a new application session without
having to authenticate again. I assume your question is about how long
this should be possible? My recommendation would be to not offer a
"remember me" feature in comination with FIM because (a) the IdP usually
supports single sign-on so authenticating again should be easy (at least
when it is easy to select the institution) and (b) this might cause
problems when there is an incident like a mass download - after some
time the library might no longer be able to identify the user (in our
case: after a week).
So if Elsevier would offer a "remember me" feature and only authenticate
users after longer periods like a month or six months, Elsevier would
have to take responsibility for usage by users no longer affiliated with
the institution and for incidents that might happen during this period.
And of course this should align with the license agreements.
Best regards,
Bernd
On 25.02.20 12:19, Koren, Meshna (ELS-AMS) wrote:
> Dear all,
>
> I have another question which I posted on another thread earlier...
>
>>From the library's perspective, what is a reasonable time for an SP to maintain a session for a user?
>
> It would have been possible for Elsevier to maintain a session for any lenght of time - but is that desirable by the libraries? Should we confirm with the library that a user is still affiliated with it whenever a user wants to access the service (such as ScienceDirect)? Or every day? Every week? Every month? Every 6 months?
>
> Thanks,
> Meshna
>
>
>
> Meshna Koren
>
> Associate Product Manager
> Product Management - Identity and Access - Research Products
>
> Elsevier BV
> Radarweg 29, Amsterdam 1043 NX, The Netherlands
> m.koren at elsevier.com<mailto:m.koren at elsevier.com>
>
> Federated Access - SAML, Shibboleth, Corporate SSO, OpenAthens, Institutional Login
>
>
>
>
> ________________________________
>
> Elsevier B.V. Registered Office: Radarweg 29, 1043 NX Amsterdam, The Netherlands, Registration No. 33156677, Registered in The Netherlands.
>
>
> _______________________________________________
> FIM4L mailing list
> FIM4L at lists.daasi.de
> http://lists.daasi.de/listinfo/fim4l
>
--
Bernd Oberknapp
Gesamtleitung ReDI
Albert-Ludwigs-Universität Freiburg
Universitätsbibliothek
Platz der Universität 2 | Postfach 1629
D-79098 Freiburg | D-79016 Freiburg
Telefon: +49 761 203-3852
Telefax: +49 761 203-3987
E-Mail: bo at ub.uni-freiburg.de
Internet: www.ub.uni-freiburg.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5627 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.daasi.de/pipermail/fim4l/attachments/20200226/96a583a7/attachment-0001.p7s>
More information about the FIM4L
mailing list