Session termination
Sessions[1] enable single sign-on, letting authenticated users access system resources in PingOne Advanced Identity Cloud’s control without re-authenticating.
User sessions are terminated when a configured timeout is reached, or when a user performs actions that cause session termination. Session termination effectively logs the user out of all systems protected by PingOne Advanced Identity Cloud.
PingOne Advanced Identity Cloud terminates server-side sessions in four situations:
-
When a user explicitly logs out.
-
When an administrator monitoring sessions explicitly terminates a session.
-
When a session exceeds the maximum time-to-live.
-
When a user is idle for longer than the maximum session idle time.
Under these circumstances, PingOne Advanced Identity Cloud responds by removing server-side sessions from the CTS token store and from server memory caches. With the user’s session no longer present in CTS, PingOne Advanced Identity Cloud forces the user to reauthenticate during subsequent attempts to access protected resources.
When a user explicitly logs out of PingOne Advanced Identity Cloud,
PingOne Advanced Identity Cloud also attempts to invalidate the tenant session cookie in the user’s browser
by sending a Set-Cookie
header with an invalid session ID and a cookie expiration time that is in the past.
In the case of administrator session termination and session timeout,
PingOne Advanced Identity Cloud cannot invalidate the tenant session cookie until the next time the user accesses PingOne Advanced Identity Cloud.
Configure session termination settings
Before you can configure the settings for session termination in a given realm, add the Session service configuration to that realm if necessary:
-
Under Native Consoles > Access Management, go to Realms > Realm Name.
-
Select Services.
-
Open the interface that lets you configure session termination:
-
If the Session service appears in the list of services configured for the realm, select Session.
-
If the Session service does not appear in the list of services configured for the realm, add it:
-
Click Add a Service.
-
Select Session from the drop-down list.
-
The Session page appears, showing the Dynamic Attributes tab.
-
Refer to Dynamic attributes for more information.
Set maximum session time-to-live
When configuring the maximum session time-to-live, balance security and user experience. Depending on your application, it may be acceptable for your users to log in once a month. Financial applications, for example, often terminate their sessions in less than an hour.
The longer a session is valid, the larger the window during which a malicious user could impersonate a user if they were able to hijack a session cookie.
The maximum session time-to-live is 120 minutes by default.
-
Under Native Consoles > Access Management, go to Realms > Realm Name.
-
Select Services.
-
Select Session.
-
On the Maximum Session Time property, configure a value suitable for your environment.
-
Save your changes.
If you update the maximum session time-to-live, you should also set the expiry time for JWT tokens to the same value:
-
Update the JWT token lifetimes for individual OIDC applications:
-
In the Advanced Identity Cloud admin UI, select Applications.
-
Select the OIDC application you want to update.
-
On the Sign On tab, scroll down to General Settings, then click Show advanced settings.
-
On the Token Lifetimes tab, specify the following properties in seconds:
-
Access token lifetime (seconds)
-
JWT token lifetime (seconds)
-
-
Click Save.
-
-
Update the JWT token lifetimes for the OAuth2 Provider service:
-
In the Advanced Identity Cloud admin UI, select Native Consoles > Access Management.
-
Select Services > OAuth2 Provider.
-
On the Core tab, specify the following property in seconds:
-
Access Token Lifetime (seconds)
-
-
On the OpenID Connect tab, specify the following property in seconds:
-
OpenID Connect JWT Token Lifetime (seconds)
-
-
Click Save Changes.
-
Set maximum session idle timeout
Consider a user with a valid session navigating through pages or making changes to the configuration. If for any reason they leave their desk and their computer remains open, a malicious user could take the opportunity to impersonate them.
Session idle timeout can help mitigate those situations by logging out users after a specified duration of inactivity.
The maximum session idle timeout is 30 minutes by default.
You can only use session idle timeout in realms configured for server-side sessions. |
-
Under Native Consoles > Access Management, go to Realms > Realm Name.
-
Select Services.
-
Select Session.
-
On the Maximum Idle Time property, configure a value suitable for your environment.
-
Save your changes.