Configure the token time stamp

The token contains a configurable time stamp that defines the lifetime of the identity token. After the time stamp has expired, the token is considered not valid and is not used. The time stamp is used to help prevent replay attacks by setting a value short enough to prevent the token from being stolen and replayed within its lifetime. The authtoken-lifetime stanza entry, located in the [cdsso] stanza of the WebSEAL configuration file, sets the token lifetime value. The value is expressed in seconds. Default is 180:

[cdsso]
authtoken-lifetime = 180

We must take into account any clock skew among the participating domains. Clock skew means the system times differ on the relevant servers in each domain.

When this difference approaches the value of authtoken-lifetime, the effective lifetime of the token is greatly reduced. When this difference exceeds the value of authtoken-lifetime, tokens from one domain cannot be valid for the other domain.

You should adjust authtoken-lifetime accordingly. However, when clock skew requires that authtoken-lifetime be set to a large value, the risk of replay attacks increases. In this case, you should consider synchronizing the system time on the relevant servers in each domain.

For information, see authtoken-lifetime.

Parent topic: Configuration of cross-domain single signon