=== Session lifetime ===
* '''IdP session lifetime must be longer than any SP session lifetime'''. Otherwise, if an SP session outlives the IdP session and the user reauthenticates for a new session for other SPs, logout would not terminate session at the first SP. The IdP can limit the maximum lifetime of the SP session by using the (optional) <code>SessionNotOnOrAfter</code> property in the authentication statement. {{INFO_EN|This can be set in the <code>relying-party.xml</code> by specifying the number of milliseconds in the '''<code>maximumSPSessionLifetime</code>''' attribute of the '''<code>SAML2SSOProfile</code>''' configuration.}}
== Required changes in IdP API ==
