SL1 - how to let IdP dictate RP session lifetime in OpenID Connect

[aaronpk]

SAML defines the SessionNotOnOrAfter claim to give the IdP a way to tell the RP how long to set the session as a timestamp. There is no equivalent claim currently defined in OpenID Connect.

We should decide whether to define this as an OpenID Connect extension in the AB working group, or just define a new ID token claim in IPSIE.

[mcguinness]

I think we need to see if there will be additional policy directives we want to convey from Enterprise IdP to RP or if its limited to max session lifetime. If there is a need for a more general way to convey a policy directive/obligation, then solving in the AB working group would make sense to me as an extension. An IdP evaluating a conditional access policy for example may want to constrain the downstream session is a specific way such as:

• limited security context/read only for an unmanaged device for a user who could have full context access on a managed device
• idle vs max session lifetime
• transient vs persistent session cookies
• online-only session vs allowing session to create offline access (e.g. issue a refresh token)
• require device-bound session or token (token protection level)
• MFA/assurance level TTL

If we just want to keep this requirement focused to max session lifetime and can define the boundary of of "session", then I could see us just defining the claim as part of IPSIE profile and conformance.

Curious what the group thinks

[dickhardt]

Would IPSIE specify a maximum session lifetime?

[aaronpk]

I would steer away from policy decisions like this within IPSIE, and stick to enabling enforcement of the IdP and RP policies between each other.

[dhs-BI]

This makes sense to me. There's a rich set of directives that might be expressed. I look forward to discussing this further to see whether it has a home in AB.

If there is a need for a more general way to convey a policy directive/obligation, then solving in the AB working group would make sense to me as an extension. An IdP evaluating a conditional access policy for example may want to constrain the downstream session is a specific way such as:

• limited security context/read only for an unmanaged device for a user who could have full context access on a managed device
• idle vs max session lifetime
• transient vs persistent session cookies
• online-only session vs allowing session to create offline access (e.g. issue a refresh token)
• require device-bound session or token (token protection level)
• MFA/assurance level TTL
  ...

[dhs-BI]

Unless there are objections, I suggest we close this issue as written and open a new issue regarding directives that may be issued from an IdP to an RP. I'll queue this up for discussion on tomorrow's call (March 25, 2025).

[dickhardt]

per discussion in the call, going to merge this work with the #62