Hi Vladimír,

Great, thanks a lot for that reply. So that the solution works with any IDP (no matter how long it takes their sessions to time out) I've decided to go with setting erase-credentials="false" rather than extending the maxAuthenticationAge.

Now everything seems to be working OK I think we'll wait for the RC2 release that supports Spring Security 3.1 and when we upgrade we'll go through the latest securityContext.xml and make sure all the components are also part of our own securityContext.xml

BTW - is there a rough ETA for RC2?

Thanks again


Steve