Single Sign-On and user sessions
Within certain boundaries, single sing-on and user sessions are allowed. This document describes the technical requirements. Note that also some requirements are listed in: Algemene introductie, Use cases Single Sign-On, Interface specifications and Technische specificaties, procedures voor uitgifte van middelen en eisen voor het authenticatiemechanisme.
The maximum life span of a session at the AD is 2 hours unless a new authentication assertion is issued in the meantime whereby the session MAY be extended to a maximum of 2 hours.
Participants MAY provide a user the option to log out.
This option has the same function as logging out from a service provider (see below). Participants and service providers must ensure that cookies are deleted after logging out or after the expiry of an authentication session, and that previously received forms that are resubmitted generate an error.
Sessions at service providers
A service provider using SSO is responsible for local session management. During the session, the service provider MUST permanently offer and display a log-out option. A service provider MUST implement the log-out functionality as follows:
Session cookies MUST be deleted and the session MUST be destroyed
Submitted forms MUST be deleted (so that resubmitting the same form from the browser generates an error message)
The browser of the user MUST then be redirected to the HM with a logout message according to Interface specifications DV-HM
Session at a Herkenningsmakelaar (HM)
A Herkenningsmakelaar MUST offer a user the option to remember the selected Authenticatiedienst ("Onthoud mijn keuze").
If not unchecked, and after receiving a succesfull authentication, the selected AD MUST be saved in the shared domein cookie, using the specifications below.
Based on this cookie, the HM MUST skip the selection of AD screen and redirect the browser of the user to the AD specified in the cookie, if the AD is applicable for the request.
Note: If an AD is specified in the request, this takes precedence.
To ensure that the common domain cookies are available for all HMs, they are sent from the browser of the user to a cookie server that belongs to the respective HM but placed in the shared domain. Redirects and/or a script can be used to include this information in the HTML page that is sent to the user.
If a script is used, cookie handling must be programmed in such a way that, if the cookie server does not respond, the process is continued as if a cookie value did not have to be read or written. If redirects or scripts are used, the HM SHOULD detect when a sent request is not being answered and the same request is being resubmitted. In that case, repeated requests must follow an alternative path without cookies. The objective of doing this is to prevent obstructing the process when cookies do not work.
See also Proces onderhoud cookieserver.
Shared domain cookies
For cookies in which the choice for an preferred AD is saved, the Identity Provider Discovery Profile is applied as follows:
The shared domain is '*.sso.eherkenning.nl'
The name of the cookie MUST be '_saml_idp'
The cookie MUST have the path prefix '/'.
The parameters Secure and HttpOnly MUST be used.
The cookie is persistent.
The content of the cookie consists of one or more Base-64 encoded URI values, each separated by a single space.
Each URI value represents the unique identification number for an AD as defined in EntityID. When there is no AD related to the value stored in the cookie, the HM MUST act as if no cookie was set and MUST uncheck the checkbox stating "Bewaar selectie authenticatiedienst".
Session at an Authenticatiedienst (AD)
An Authenticatiedienst MUST offer a user the option to re-use a previous authentication that occurred in the existing session.
If the AD receives a request in which Single Sign-On is allowed, and the existing SSO session is valid to process the request, then the AD MUST skip the use of the authentication means.
If the requested LoA is LoA 4, the authentication means MUST be used. See Technische specificaties, procedures voor uitgifte van middelen en eisen voor het authenticatiemechanisme 2.3.1 LOA 4
If the request is for a service provider that is not in the SSO session, the authentication means MUST be used. See Technische specificaties, procedures voor uitgifte van middelen en eisen voor het authenticatiemechanisme 2.3.1 LOA 3
The maximum life span of a session at the AD is 2 hours. If during this time a new authentication assertion is issued, the session MUST be extended to a maximum of 2 hours again.
AD's MAY provide a user the option to log out. When selected the AD MUST delete the SSO session and behave like explained in Single Log-out.
Session at a Machtigingenregister (MR)
A Machtigingenregister MAY maintains user preferences (chosen party to represent), to further increase the SSO experience.