PingOne Advanced Identity Cloud

Session termination

Authenticated sessions enable single sign-on, letting authenticated users access system resources in Advanced Identity Cloud’s control without reauthenticating.

Authenticated sessions are terminated when a configured timeout is reached or when a user performs actions that cause session termination. Session termination effectively logs the user out of all systems protected by Advanced Identity Cloud.

Advanced Identity Cloud terminates server-side authenticated sessions in four situations:

Under these circumstances, Advanced Identity Cloud responds by removing server-side authenticated sessions from the CTS token store and from server memory caches. With the authenticated session no longer present in CTS, Advanced Identity Cloud forces the user to reauthenticate during subsequent attempts to access protected resources.

When a user explicitly logs out of Advanced Identity Cloud, Advanced Identity Cloud also attempts to invalidate the tenant session cookie in the user’s browser by sending a Set-Cookie header with an invalid session ID and a cookie expiration time that’s in the past. In the case of administrator session termination and session timeout, Advanced Identity Cloud can’t invalidate the tenant session cookie until the next time the user accesses Advanced Identity Cloud.

Configure authenticated session timeout settings

Session timeout settings (maximum session time and maximum idle time) can be set in different locations to provide greater control over terminating authenticated sessions.

Advanced Identity Cloud determines which settings to apply to the authenticated session in the following order of precedence:

  1. The session timeout settings for a user.

    Under Native Consoles > Access Management, go to Realms > Realm Name > Identities > Username > Services > Session to set user level session timeout values.

    If the Session service isn’t listed, click Add Service and select Session in the list.

  2. The session timeout settings in a node:

    If a journey has multiple nodes that set session timeouts, Advanced Identity Cloud uses the settings associated with the last executed node to determine the timeouts for the resulting authenticated session.

    If a child journey includes nodes that set session timeouts, Advanced Identity Cloud uses the updated timeouts in the parent journey.

  3. The session timeout settings for an authentication journey.

    Session timeout values set on a child journey are ignored.

    Learn more in Configure authenticated session timeouts in a journey.

  4. The session timeout values set in the realm.

    The default maximum session timeout is 120 minutes and the default maximum idle time is 30 minutes.

    Enable the Session service in the realm to set realm level session timeout values.

    Learn more in Add the Session service to the realm.

Add the Session service to the realm

Before you can configure the settings for session termination in a realm, add the Session service configuration to that realm if necessary:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name.

  2. Select Services.

  3. Open the interface that lets you configure session termination:

    • If the Session service appears in the list of services configured for the realm, select Session.

    • If the Session service doesn’t appear in the list of services configured for the realm, add it:

      1. Click Add a Service.

      2. Select Session in the list.

    The Session page appears, showing the Dynamic Attributes tab.

  4. Click Save Changes.

Learn more in Dynamic attributes.

Set maximum session time-to-live

When configuring the maximum session time-to-live, balance security and user experience. Depending on your application, it could be acceptable for your users to log in once a month. Financial applications, for example, often terminate their sessions in less than an hour.

The longer an authenticated session is valid, the larger the window during which a malicious user could impersonate a user if they were able to hijack a session cookie.

The maximum session time-to-live is 120 minutes by default.

The following steps configure the maximum session time in a realm, but you can also configure it for a user, in a node or in a journey:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name.

  2. Select Services.

  3. Select Session.

  4. On the Maximum Session Time property, configure a value suitable for your environment.

  5. Save your changes.

If you update the maximum session time-to-live, you should also set the expiry time for JWT tokens to the same value:

  1. Update the JWT token lifetimes for individual OIDC applications:

    1. In the Advanced Identity Cloud admin console, select Applications.

    2. Select the OIDC application you want to update.

    3. On the Sign On tab, scroll down to General Settings, then click Show advanced settings.

    4. On the Token Lifetimes tab, specify the following properties in seconds:

      • Access token lifetime (seconds)

      • JWT token lifetime (seconds)

    5. Click Save.

  2. Update the JWT token lifetimes for the OAuth2 Provider service:

    1. In the Advanced Identity Cloud admin console, select Native Consoles > Access Management.

    2. Select Services > OAuth2 Provider.

    3. On the Core tab, specify the following property in seconds:

      • Access Token Lifetime (seconds)

    4. On the OpenID Connect tab, specify the following property in seconds:

      • OpenID Connect JWT Token Lifetime (seconds)

    5. Click Save Changes.

Set maximum session idle timeout

Consider a user with a valid authenticated session navigating through pages or making changes to the configuration. If for any reason they leave their desk and their computer remains open, a malicious user could take the opportunity to impersonate them.

Session idle timeout can help mitigate those situations by logging out users after a specified duration of inactivity.

The maximum session idle timeout is 30 minutes by default.

You can only use session idle timeout in realms configured for server-side sessions.

The following steps configure the maximum idle time in a realm, but you can also configure it for a user, in a node or in a journey:

  1. Under Native Consoles > Access Management, go to Realms > Realm Name.

  2. Select Services.

  3. Select Session.

  4. On the Maximum Idle Time property, configure a value suitable for your environment.

  5. Save your changes.