I've set up Spinnaker to use SAML authentication as per this guide: https://www.spinnaker.io/setup/security/authentication/saml/
I have no problem authenticating and logging in to Spinnaker - the setup seems correct and I'm able to decode my SAMLResponse from the IdP.
In the SAMLResponse I see the following:
<Response Destination="https://my-service-provider.com/saml/SSO" ID="~" IssueInstant="2019-09-11T22:26:25Z">
<ns2:Assertion Version="2.0">
<ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">my.identity.provider</ns2:Issuer>
<ns2:Subject>
<ns2:SubjectConfirmation>
<ns2:SubjectConfirmationData NotOnOrAfter="2019-09-11T22:36:25Z"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2019-09-11T22:21:25Z" NotOnOrAfter="2019-09-11T22:36:25Z">
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2019-09-11T21:59:29Z" SessionNotOnOrAfter="2019-09-11T22:36:25Z">
</ns2:AuthnStatement>
</ns2:Assertion>
</Response>
I've removed a lot of fields, but notice the IssueInstant and the NotOnOrAfter conditions - the NotOnOrAfter is 10 minutes after the IssueInstant.
The problem I'm seeing is that once the NotOnOrAfter is reached I am logged out and need to reauthenticate.
Is this normal behavior? Should I speak with our IdP to increase the NotOnOrAfter? Shouldn't my session be stored in the SSO cookie (which is present)?
This ended up being an issue when we were setting up the SAML settings with our provider. Needed to extend the SessionNotOnOrAfter to longer than 10 minutes.