From abfc383e4c0d230cd4356d90b0f9a6d27dfa8757 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Fri, 10 Sep 2021 16:55:04 +0200
Subject: [PATCH] idp_saml2: set sessionNotOnOrAfter to half the current
 session duration (#56865)

---
 src/authentic2/idp/saml/saml2_endpoints.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py
index fe1cb7ce..fbac707e 100644
--- a/src/authentic2/idp/saml/saml2_endpoints.py
+++ b/src/authentic2/idp/saml/saml2_endpoints.py
@@ -456,7 +456,8 @@ def build_assertion(request, login, provider, nid_format='transient'):
     # Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
     # service providers can outlive the IdP session.
     expiry_date = request.session.get_expiry_date()
-    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(expiry_date)
+    session_not_on_or_after = now + (expiry_date - now) * 0.5
+    assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(session_not_on_or_after)
     logger.debug('assertion building in progress %s', force_text(assertion.dump()))
     fill_assertion(request, login.request, assertion, login.remoteProviderId, nid_format)
     # Save federation and new session
-- 
2.32.0.rc0