Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

SAML - Can you end the Identity Provider's session when the Service Provider's session times out?

Written By

Orsolya Hegedus

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • We have Liferay configured as a SAML Service Provider (SP), and we use third-party software as the Identity Provider (IdP)
  • Our IdP is used for multiple applications, so its session timeout is set for a longer timeframe than any of the Service Providers'.
  • When the session ends in Liferay (SP), the user does not get logged out due to the IdP's longer session timeout value.

Environment

  • Liferay DXP 7.3+

Resolution

  • Liferay is configured to always respect the Identity Provider's session timeout values
  • A possible User scenario demonstrates why this behavior occurs:
    1. The User logs into a website built on top of Liferay, then leaves the browser tab open
    2. The User then logs in to another website that uses the same Identity Provider as the Liferay website
    3. The session times out on the Liferay website while the User is working on the other Site
    4. If the Liferay site initiates a Single Logout request to the Identity Provider, the User is logged out of the other site, resulting in their work being lost.
  • A possible workaround: In SAML Admin, check the ForceAuthn checkbox. This will not end the IdP's session, but it will force the user to enter their credentials again when redirected to the IdP's login page. This redirection typically happens when Liferay's (as SP) session times out. 

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?