Single Signon - PingFederate - What might cause a session to expire?

Question

1) First, I know that the clocks between a user system and PingFederate (PF) needs to be within 5 min of each other. Is the time PF sends me in its SAML the time PF is using? Also can I set the difference between the clocks?

2) Second, I am currently logging in to PingFederate but then am following an endless cycle of PingFederate saying I am logged in, and then my Rails app using Devise asking PingFederate again if I am logged in. I checked that a session is getting set for that user. Is there something that could cause the session to expire?

Answer 1

1. All times sent in assertions in PingFederate (and all other products) are in UTC as defined by the SAML-Core (Pg. 9, Line 310, section 1.3.3) standard. Your "SP" endpoint/application should be using the same when calculating time differences, to be SAML-compliant.

2. As I've stated in my comments, this is definitely a Rails issue. The assertion isn't "expiring" - your app just isn't creating an authenticated session. SAML doesn't provide for a length of how long the user's authentication is valid for.