Question
How are user's session tokens handled by the Silverline Portal?
- If a user session token is revoked by the IdP, will the Silverline Portal session will be terminated too?
- Will Silverline create its own persistent session identifiers independent of the IdP?
Environment
- Silverline Portal
- Single-Sign-On
Answer
The Silverline Portal maintains its own session with the client browser. Therefore, even if a session is revoked by the IdP after signing in to the Silverline Portal, the session will remain active until the session expires, based on the Session Idle Timeout configured, by default Silverline maintains sessions for 24 hours.
For example:
- User is signed out of the IdP and Silverline.
- User browses to Silverline Portal, and enters the credentials
- User is redirected to the IdP to authenticate
- User credentials are validated.
- User is redirected back to Silverline where they are now logged in and a session is created
- After 24 hours pass, user goes back to Silverline Portal.
- User's Silverline session token is expired and is redirected back to Silverline login page
- User enters login credentials.
- User is redirected to the IdP which detects the user is already signed in so it redirects back to Silverline.
- User is now logged in to Silverline.